I never said secure. There’s a difference. If I have $1000 in cash in my house and it’s in a safe, I can tell anyone I want because it’s secure. If I have $1000 in cash in my house and never tell anyone, I can keep just about anywhere I want to because nobody knows to go looking for it.
Oh, it won’t hurt. But it won’t help, either, and anyone who thinks it will help probably knows little enough about security that they’re likely to have made mistakes elsewhere that really will hurt.
Locking the knob after I’ve already locked the deadbolt isn’t really going to keep anyone out of my house, either. But, again, that’s no reason to go around handing out the keys to the knob lock.
The OP suggests that a delay between log on attempts or a limit on incorrect entries would foil a brute-force attempt. However, given my experience with users and their passwords, brute-force would be gross overkill. A little social engineering, and you can guess waaaay to many users’ password in two or three tries.
Or better yet, just use the userid and tack numbers onto the end of it (e.g.: knowing that a userid is “foo”, an attacker could use “foo1”, “foo12”, “foo123”, “foo1234”, etc.). Even if the system had a delay to thwart brute-force attacks, an attacker could use multiple machines, each with a different segment of the list.
As others have said above, there is absolutely no reason to give an attacker any clue whatsoever as to any piece of the puzzle.
Except it’s not like handing out keys to your knob lock. It’s like removing the address numbers from your front porch so burglars can’t find your house.
I love it, because this is exactly the metaphor I use when I’m explaining user IDs and passwords to new email users. “Your user ID is like your street address: I have to know it if I’m going to send you mail. Your password is like the key to your house: if I have that, I can rob you blind.”
Actually, it’s not really like either. It’s more like this:
There’s a finite but very large number of houses (usernames), and a finite but very large number of housekeys (passwords). Some houses have something of value in them (valid usernames), but most are really just a big empty box, which can’t actually be opened (invalid usernames).
If the only feedback you provide is that either the username or the password is incorrect, then a burglar has no choice but to try every key in every house. Some burglars will just give up at that point.
If you specify that the username is valid and only the password is incorrect, then the burglar only has to try one key at each house to know whether it’s a house of value or an empty one. It makes the burglar’s job considerably easier.
So yes, keeping usernames private does help, in that it slows an attacker down considerably. Obviously, security should go far, far beyond that, but that’s no reason not to also do this.
Ah, good old security through obscurity. This is what we in the security industry don’t do.
Not disclosing user names has several functions. Most posters here are presuming that the only way to attack a site is through brute-force login attempts. This is a very simplistic way of looking at the problem, and I’ll explain why:
Let’s say I manage to mine 10000 usernames through random brute force attacks, using the kind of login scheme that the OP requested. Commonly, some if not all of these usernames may or may not be connected to an e-mail account, so suddenly I have access to perhaps several thousand active e-mail addresses. If I’m just a spammer, then this would be fine. Now if I’m really feeling mean, I’ll perform a phishing attack against the e-mail addresses I mined, collecting as many passwords as I can. With these I can then get access to the site.
As mentioned, many sites lock the attacker out after a certain number of login attempts. If I have hostile intent, I’ll turn this into a denial-of-service attack, constantly locking users out of the site and damaging its user base.
So indeed, not making an attacker’s life any easier is the point.
Or the burglar watches to see which houses have people driving home to them every night, or the burglar picks up a copy of the phone book.
If you want to make the burglar’s job harder, then do it properly, by requiring that the passwords be longer. Don’t try to pretend that the username is a second password.
You don’t? Then post your username and password here in the forum, for all your accounts. Financial data first.
Are you going to rely on every web site on earth to geth this right 24/7/365 just so you get a marginally more informative error message. Gee thanks, on behalf of web site developers everywhere.
I never suggested anything of the kind. I’m just saying, and you seem to agree, that knowing which usernames are valid is helpful to an attacker. (As kombatminipig pointed out, they can be very useful even without a matching password.) That doesn’t mean that *not *knowing them will keep an attacker out, but it does mean you shouldn’t just advertise them. My point is simply that anything you can do to make life harder for an attacker is better, so you should do *everything *you can. Belt and suspenders, you know?
Excuse me, are we talking about the usernames that appear on the posts?
You know…style="" class=“bigusername” href=“member.php?u=NumericalID”>UserName <------- the ones right there in all posts?
Not the usernames for a message board. There are probably easier ways to crack vBulletin. The primary concern is for servers and websites that require a username and password to access anything.
Oh, in general…
The few places I need to log on usually give me either “no such user” or “incorrect password”…I always thought the one-or-the-other thing was just coding laziness; you know, check for name/pass combination to exist - true or false, if false present the “whatever, you failed at logging in”-message.
OK, then, why not require all passwords to be 128 characters long?
You obviously don’t understand the semantic difference between obscurity and secrecy.
Keeping your money under your mattress relies on the knowledge of that money’s existence not being known, nor available through an educated guess. All you need is one person other than you with that knowledge, or one burglar who knows where to look, and your entire security scheme is void. This is security by obscurity.
By comparison, by storing your money in your bank, you’re free to tell the world what bank you are using, how much cash you have there, you can even (in parts of the world where check fraud isn’t common, such as those parts of the world who have stopped using checks) divulge your account number and your money is still no less secure. The bank (we’ll ignore online banking for the sake of the analogy, security becomes way more complex there) required your presence in order for you to access your account. This is authentication.
A password is a form of authentication. By being kept secret and easily changed should this secret no longer be so (unlike your hiding place), it authenticates who you are.
So? You have my username right here, and you’re free to try to use it to hack my account. I don’t need to rely on it being obscure, because I have my password. My password you’re not getting, because that’s my authentication.
You can have my bank account number as well if you’d like. It doesn’t need to be obscure, because any online transaction requires a password. Hell, you can even have the password I just used, because it will be changed as soon as I end the transaction. My pin code and the dongle I use to generate new passwords you’re not getting though, because that’s my authentication.
Are you beginning to get my drift?
Indeed, and this is more or less a security issue, though a trivial one in the context. User names here have often little connection to any other context, and the damage that can be done is minimal. A simple way of fixing this would be to separate username and display name, as many sites do,
You can, and this reminds me of the policy that many companies have of requiring password changes every three months or so. The trade-off is that users will either stop using the service all together because it’s too much trouble, or start using far too simple passwords (128 a’s) or defeat the secrecy part of the scheme by writing them down on post-its on their desks.
But indeed, if users could reliably remember 128 character passwords in their heads and didn’t mind typing them out, it would be great.
And yes, I am an avid fan of Bruce Schneier.