I’m sure you’ve seen the message before. You try to log into a website you go to every now and then, and forget which password you used for it, or type something in wrong. ”Sorry, this password is incorrect,” says the website. You grumble to yourself and try again, paying little attention to the harmless message. From a programmer’s perspective, it’s a bit more interesting than that.
With a SQL database backend, it’s quite easy to figure out a login problem. It’s a simple matter of searching the databse for a username that is equal to the one the user entered. If the password of that row matches the password the user entered (generally md5 encoded), then the user can login. If it doesn’t, they get the “incorrect password” message, and if the username search returns zero rows, they get an “incorrect username” message. Simple and secure, right?
Wrong. The problem with telling the user that the password was the incorrect data entered is that it lets them know that the username is correct. For someone legitimately logging into the website, this is great. They know exactly what to fix, they fix it and move on. For someone who doesn’t actually own the account, however, this message is a lot more interesting.
Potentially, a script could be written to try thousands, even millions of usernames all with the same password. Once an “incorrect password” message is reached, the script can then try another list of thousands to millions of passwords, until it gets an account. All automated, and very simple.
So, the solution is to not let the user know what’s wrong. Just say “incorrect login details.” Something is wrong, but we’re not gonna tell you what. Good luck! This will stop any username-guessing script. Now, you can’t tell a valid username from an invalid username. However, some websites like to have lists of their members, or the hacker may already know a username for some reason. So, how do we combat this?
Login try limits. After 5 failed attempts, lock out the IP address in question. Any user who just typed something wrong should be able to get it right within five tries, and blocking the IP will stop from additional attacks. However, some robots are more complex than this.
When it comes down to it, if someone really wants to get into your website, they will. A botnet will millions of different IP addresses could foil the above scheme. Additionally, proxies could get around this block. It would seem that there is no way to keep a website secure.
The responsibility falls on the user, really. Most websites say somewhere that if someone breaks into your account, they aren’t responsible. Website admins should have really long annoying to type passwords, because they can easily save the password somewhere, and normal users should have passwords that are strong enough. If you’re really worried that someone will break into your account, choose a better, longer password.
Or, do we need to go above and beyond passwords? Is there a level of security past passwords that we have yet to reach. A lot of computers now have fingerprint readers. Could we have websites that require your fingerprint as your password? How about an image? A website could issue you a completely random image for your password. You save this image, and have to upload it any time you want to login. The image would have to be small enough to let dial up users be able to upload the image, but it could be big enough to be very, very random.
So, security isn’t perfect. I doubt it ever will be. If someone really, really wants to break into something, they will. This is why we have jails.