From: Daniel Staal (DStaal@usa.net)
Date: Sun Apr 06 2003 - 20:15:17 EDT
--On Saturday, April 5, 2003 2:33 PM -0500 Susan Olson
<olson.susan@excite.com> wrote:
> My questionÖwhat is the best way to handle ìfeedbackî for users
> attempting to access an account that is already logged-on?
> Currently, users get a message stating that the account that they
> are attempting to use is already logged-on. I am not comfortable
> with this because it lends to the possible harvesting of valid
> UserIDs & Passwords by an ìevil doer.î Also, I have a similar
> issue with the ìfeedbackî given to users when an account is locked
> outÖîYour account is currently locked out, please contact an
> administratorî in that I only get this message when I have entered
> a valid User ID & Password for an account that is locked out ñ
> seems to facilitate harvesting as well.
>
> If anyone could provide me with some ideas/strategies, etc. on how
> to implement this securely I would greatly appreciate it!
No specific suggestions besides the obvious: change the error
messages so that they are all the same. (Something along the line of
"This username/password combination in not valid at this time." It
is true in all cases...)
The problem of course is debugging. You may want to put in error
codes for debugging (though a smart attacker could figure the error
codes out and then you are back where you started. Still, it would
be useful *before* you deploy at least, and you could remove them at
the end of a debug cycle.)
The other problem is if you have an attacker smart enough to check
timing differences. If the time to decide one case is detectably
different then the other that allows an avenue of opportunity. It
may happen that all differences are indistinshable from network
latency variations, but you would want to be sure...
Daniel T. Staal
---------------------------------------------------------------
This email copyright the author. Unless otherwise noted, you
are expressly allowed to retransmit, quote, or otherwise use
the contents for non-commercial purposes. This copyright will
expire 5 years after the author's death, or in 30 years,
whichever is longer, unless such a period is in excess of
local copyright law.
---------------------------------------------------------------
top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.securityfocus.com/SurfControl-pen-test
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:31 EDT