#102 ✓resolved
sabat (at area51)

Login Error Msgs Options for Security

Reported by sabat (at area51) | May 2nd, 2009 @ 01:39 PM

From an applications security perspective, it's usually better not to reveal certain information in error messages. When a user (or potentially, an attacker) has tried to log in with a bad username, you want to issue the same error message as when he has entered an incorrect password. This way, an attacker cannot use the error messages to tell whether he's found a legit login to try to exploit.

Check this out for a better write-up than I've done here:

http://www.gnucitizen.org/blog/u...

Attached to this ticket is a patch that gives Authlogic users the option to write a single error message for both error conditions (bad login, bad password). Default is normal behavior, although I did change the wording slightly.

I'm not 100% sure that I've made this feature in the cleanest way possible, but hopefully you see the need and can at least use my code as a starting point.

The patch also includes a couple of small fixes to comment grammar (typos etc.).

BTW, it goes without saying that Authlogic is excellent, and is my standard authorization module.

Comments and changes to this ticket

  • sabat (at area51)

    sabat (at area51) May 2nd, 2009 @ 01:44 PM

    • Title changed from “Login Error Msgs Improvement Options for Security” to “Login Error Msgs Options for Security”

    No idea why the original title read like Engrish. Fixed.

    Also, I forgot to mention: this patch is against 2.0.11. I haven't tried against the trunk yet.

  • sabat (at area51)

    sabat (at area51) May 2nd, 2009 @ 01:47 PM

    Confirmed -- patches cleanly against trunk from github.

  • Ben Johnson

    Ben Johnson May 4th, 2009 @ 12:08 AM

    • State changed from “new” to “open”

    Hi Sabat,

    You aren't the first person that has commented on this. I like your approach, but at the same time I don't know that these messages really are a security vulnerability.

    First, the brute force protection in authlogic is enabled by default, assuming you have the failed_login_count field in your table. After 50 consecutive failed logins the user gets temporarily banned for 2 hours. Then, if you are extra secure, you could use bcrypt. Regardless of the error messages, to try a dictionary attack on a system with that much security would take centuries, if not longer.

    Lastly, these error messages are configuration with the I18n feature, which leverages the rails I18n class. You just create your localizations configuration files, add in the authlogic keys, and you are good to go:

    http://authlogic.rubyforge.org/c...

    Does that change your stance on the issue any? I hope this helps. Thanks.

  • Ben Johnson

    Ben Johnson May 4th, 2009 @ 12:09 AM

    Also, all of the brute force protection features are configurable, check out the module in the documentation. If you really wanted to be hardcore you could increase the banned time or ban them permanently. It's really your call.

    http://authlogic.rubyforge.org/c...

  • sabat (at area51)

    sabat (at area51) May 4th, 2009 @ 12:40 AM

    The brute force protection does offer some help, and it might be enough if the security problem was merely to stop brute-force account hacking. This is also used in a bunch of other devious ways -- social engineering, for one -- so giving away this info can still be a bad idea, depending on the app, of course. Some people (in the finance world, for instance) may not have a choice; if the app is exposed to the internet, they're going to get dinged in audits for leaking account information.

    Brute-forcing, done seriously, is generally trickier than you might imagine. They won't concentrate on a single account; they go looking for a whole list of accounts, and then try common passwords until they get a hit. It does work, although I wouldn't say it's easy for someone to pull off. But the money can be big, so the motivation can be big, too.

    On the i18n feature: I did initially make my own yml file for error messages, based on the example in the code. But since the Rails default is to give the name of the field in question, it wasn't enough. The error msgs still read "Login is not valid" and "Password is not valid". That's what led me to whip up the patch.

    Maybe we can just leave my patch available somewhere as an option for people who have this concern (even if you think we're crazy). :-)

  • Ben Johnson

    Ben Johnson May 4th, 2009 @ 12:46 AM

    Good point, I'll throw it in and make it an option. It's not my place to make decisions for other people's apps, so if you want this feature I should support it.

    Also you make a good point with brute force protection, I agree there are many ways to attack a system. Protecting from that kind of brute force attack is a little outside of the scope of authlogic. As I would have to log ip addresses, etc. Even that wouldn't really solve it because someone could use a proxy server and switch between a number of ips.

  • Ben Johnson

    Ben Johnson May 4th, 2009 @ 01:18 AM

    • State changed from “open” to “resolved”

    This has been added. I changed the option name to generalize_credentials_error_messages and it accepts a boolean. I felt this is a little easier and it also changes nicely if you are using a login field or an email field for authentication. Thanks for the help.

  • sandy

    sandy May 12th, 2019 @ 12:20 PM

    When I face some problem in window 10 I met a blog https://windowsclassroom.com/how-to-fix-error-code-0x80004005-windo... which taught me how to fix error in window 10 where I can solve my problem.

  • veharunodu

    veharunodu August 9th, 2019 @ 03:38 AM

    These errors are dhows when you are downloading some thread or virus files because these are attack the security first check this. These types of software are used in essay writing company because the international companies are don’t compromise with your security.

  • minianna1234567

    minianna1234567 August 28th, 2019 @ 03:04 AM

    The information you have given us is very valuable. scary maze game

  • Leo

    Leo September 19th, 2019 @ 06:23 AM

    Never compromise with security. Great insights.

    Do check out our website https://www.makemepass.org/ as well. Thanks

  • rosstaylor505

    rosstaylor505 January 9th, 2020 @ 03:13 AM

    Hey, great blog, but I don’t understand how to add your site in my reader. Can you Help me please?
    mens socks

  • goalken

    goalken January 11th, 2020 @ 09:21 PM

    I will have to follow you, the information you bring is very real, reflecting correctly and objectively, it is very useful for society to grow together. run 3

  • rosstaylor505

    rosstaylor505 January 30th, 2020 @ 02:12 AM

    wow, great, I was wondering how to cure acne naturally. and found your site by google, learned a lot, now i’m a bit clear. I’ve bookmark your site and also add rss. keep us updated.
    หวยลาว

  • lindarose11

    lindarose11 January 30th, 2020 @ 03:08 AM

    The content of your article page play draw story game, I find the content quite interesting and useful to me, thank you for sharing

  • nushra1
  • nacy
  • anuskseo

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.

People watching this ticket

Attachments

Pages