The Danger of “Incorrect Password”

by on May.11, 2009, under thoughts, website

I’m sure you’ve seen the message before. You try to log into a website you go to every now and then, and forget which password you used for it, or type something in wrong. ”Sorry, this password is incorrect,” says the website. You grumble to yourself and try again, paying little attention to the harmless message. From a programmer’s perspective, it’s a bit more interesting than that.

With a SQL database backend, it’s quite easy to figure out a login problem. It’s a simple matter of searching the databse for a username that is equal to the one the user entered. If the password of that row matches the password the user entered (generally md5 encoded), then the user can login. If it doesn’t, they get the “incorrect password” message, and if the username search returns zero rows, they get an “incorrect username” message. Simple and secure, right?

Wrong. The problem with telling the user that the password was the incorrect data entered is that it lets them know that the username is correct. For someone legitimately logging into the website, this is great. They know exactly what to fix, they fix it and move on. For someone who doesn’t actually own the account, however, this message is a lot more interesting.

Potentially, a script could be written to try thousands, even millions of usernames all with the same password. Once an “incorrect password” message is reached, the script can then try another list of thousands to millions of passwords, until it gets an account. All automated, and very simple.

So, the solution is to not let the user know what’s wrong. Just say “incorrect login details.” Something is wrong, but we’re not gonna tell you what. Good luck! This will stop any username-guessing script. Now, you can’t tell a valid username from an invalid username. However, some websites like to have lists of their members, or the hacker may already know a username for some reason. So, how do we combat this?

Login try limits. After 5 failed attempts, lock out the IP address in question. Any user who just typed something wrong should be able to get it right within five tries, and blocking the IP will stop from additional attacks. However, some robots are more complex than this.

When it comes down to it, if someone really wants to get into your website, they will. A botnet will millions of different IP addresses could foil the above scheme. Additionally, proxies could get around this block. It would seem that there is no way to keep a website secure.

The responsibility falls on the user, really. Most websites say somewhere that if someone breaks into your account, they aren’t responsible. Website admins should have really long annoying to type passwords, because they can easily save the password somewhere, and normal users should have passwords that are strong enough. If you’re really worried that someone will break into your account, choose a better, longer password.

Or, do we need to go above and beyond passwords? Is there a level of security past passwords that we have yet to reach. A lot of computers now have fingerprint readers. Could we have websites that require your fingerprint as your password? How about an image? A website could issue you a completely random image for your password. You save this image, and have to upload it any time you want to login. The image would have to be small enough to let dial up users be able to upload the image, but it could be big enough to be very, very random.

So, security isn’t perfect. I doubt it ever will be. If someone really, really wants to break into something, they will. This is why we have jails.

:, , ,

2 Comments for this entry

  • Jettatura

    The top security features today for failed log-in attempts is to…

    1. Lock the Account in question if there were too many failed log-in attempts (3+). The user must call customer service (banks do this) or simply ask for a password reset which would be sent to the username’s e-mail address.

    2. After 3+ failed attempts, display an auto-generated image with text that is skewed, rotated, and filtered in many other ways randomly, letter by letter, to make it hard/impossible for text recognition software to read (Gmail and other mail programs do this, and some do it so well I almost have trouble reading it as a human). The correct text must be entered with the correct username and correct password to login.

    And, yes, most sites give a list of usernames in one way or another. One you didn’t mention is when signing up, you’re always presented with a “username exists already” message. Programmers, logically, always program username checks first because it’s the first field entered, then the rest of the fields, such as password. So you can make a script that will find usernames that exist without ever signing up by simply making some other field incorrect. If you get the “username exists error,” then you found one that exists, otherwise you’ll get passwords don’t match or something and can continue on with another without signing up. This can easily be fixed by making the username, the first thing entered, the last thing checked for errors, so you’re doomed to sign-up with anything that does not exist, then just implement something that prevents account creation flooding.

    As far as member lists go, when signing-up a display name should be a required field which will be used in place of the username everywhere. Usernames should be kept secret just like passwords.

    An image that must be downloaded can be taken by a man-in-the-middle attack and be really inconvenient for those who hop from computer to computer, as they’d need to have the image with them at all times.

    I don’t think there is any fool-proof security or ever will be, but not showing usernames and locking an account or requiring something that only a human can do after a number of incorrect login-attempts are good security measures.

  • TrueJournals

    Oh, yes, I realize that there is no be-all end-all security method, I just remember hearing about the “image as a password” concept a while ago, but have never seen it executed. As a fun excersise, I whipped up a little login system at You can register with register.php and an image will be sent to your e-mail. You can then login (login.php), or say that you forgot your password (forgotpw.php). Note that my script probably has some security flaws of its own, but I still think it’s an interesting concept.

    After I wrote this blog post, I even started thinking about more reasons why “image as a password” is a bad idea, most of which you covered above. I think the only way you can have a truly secure login is if you don’t have any members 😉

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...