Login Form Paranoia 101
If you've used the interwebs for longer than a New York minute you've seen at least a dozen login pages in your time. Some are simple, some downright annoying and others are... I have no words.
And yet, the login page is the front door lock for your customers. It's your way of welcoming them home with their own special key, inviting them into a shared private space where you exchange valuable information and provide access to transact. So, why not do at least a little to make it more usable AND more secure?
Let's start by looking at why this is a big deal. We'll come back to the topic next week to look at some ways to make this better but for now I want you to get good and freaked out so you'll see why this is important.
What are we so afraid of?
Is it really so hard? Just give users a user ID & password field and a login button and VOILA!, right?
Not so fast Sparky.
In case you've been hiding under a Mirai Botnet, you may not have realized that there are bad guys out there who will try to get jiggy with your web site and make it do naughty things. Bad, horrible, awful things like let them be your customer, or worse yet... YOU!
Here are just a couple of things a bad guy wants to try to do with a promiscuous login page.
So, imagine your'e a bad guy. I know it's hard, but just try to be the naughtiest version of yourself for a minute and get into the mind of the enemy. The first thing I would try is see if I can get your login page to give up a list of your users.
WHAT!?! you say? It won't do that! It would NEVER do that to me! How dare you suggest such a thing.
Well... calm down a second and let's think this through. The worst case of this is found in the error message you present when someone tries to log in:
So, you've just tried to log in with a fake username and you see one of these messages. What's wrong with this picture?
C'mon you can do this...
YOU GUESSED IT! I gave you information you didn't have before. If you see "username not found" you know that's an invalid user. If you see "password incorrect" you know the user is valid but the password isn't.
Problems like this can be scripted and allow attackers to try THOUSANDS of potential usernames in just a few minutes, even with a known bad password, collecting the output and filtering valid usernames to then try later with a bunch of passwords.
Some other things to consider:
- Time is another form of "message" to attackers. Even if the message is generic like "Login error," if you take longer to return the message for a good user (because you're hashing the password to check if it's good) you also give away some info. - HTML markup is another obvious indicator to attackers. If your HTML content changes even slightly (different classes, hidden comments, etc.) from valid to invalid users, that too is a message hidden in your html.
Brute Forcing Passwords
Okay, so now you're sufficiently freaked out about the possibility of some nut job coming along and harvesting valid usernames from your site. You're probably already thinking of some ways you might be able to avoid that. GOOD! I'll give you my ideas next week but for now just noodle that for a bit.
Now let's turn our attention to password cracking.
We assume that an attacker has one or more valid usernames that they want to try out on your site. If I'm the bad guy the next thing I'm going to try is logging in with some basic passwords to see what happens.
So think with me:
- What does your login page do after 3, 4, 5 failed attempts to log in by the same user? You lock them out after 3 tries? GOOD! - Wait... what if they wait 5 minutes between tries? - If they try 10,000 different usernames, each one at a time, 10x per second? They're still only trying that username once every 16 minutes or so. - Now how good is your failed attempts tracking? - What if they try all of your valid usernames without throttling? - They just locked every user account on your system... aka "Denial of Service." - How do you know if your login page is under attack? - Do you have alerts that tell you if one IP is trying multiple user names in a short time? - What if they're using an onion network or botnet to anonymize their attempts, trying from different IPs with each attempt?
Remembers the hackers goals may not always be the same:
- Spoofing an identity is what we normally think of when we consider login form attacks but what about:
- Tampering: - masking another attack by fiddling here
- Repudiation: - filling up access logs to hide a successful login
- Information Disclosure: - Just getting all of the user names can be a way of gathering data for another type of attack, such as phishing or social engineering attack.
- Denial of Service: - Like, locking out all of your users
- Elevation of Privilege: - They may not want ALL accounts, they may be satisfied with just one. That sets the success bar and timing threshold a lot lower.
Tune In Next For the Solution
Well, I hope by now that you're sufficiently scared. Feel free to share this with developers and get everyone in your company talking about the myriad ways attackers might violate something as simple and ubiquitous as your login form. Then, stay tuned for the next post where I'll give a rundown on some best practices gleaned from an actual overhaul of a web login form I recently helped secure and show you how to make yours safer as well.
Until then... Be smart! Be Safe!