bobble14988
2012-07-30 13:40:00 UTC
讓我們說一個用戶正在登錄一個典型的站點,輸入用戶名和密碼,然後他們輸錯了其中一項輸入。我注意到,即使不是全部,大多數站點也會顯示相同的消息(類似“用戶名或密碼無效”)。
對我來說,這似乎很容易通知用戶哪個輸入錯誤,這讓我想知道為什麼網站不這樣做。那麼,是出於安全原因嗎?還是僅僅是一些已經成為常態的事情?
對於以不同方式查看用戶是否存在的網站,則不會獲得安全性提高。他們只是煩人。
Non security reason: If the database contains salted and hashed passwords, determining that the password matches an existing one would require hashing the password provided with every salt (1 per user, we hope) in the database.
一個與安全性完全不相關的原因是,提供程序可能不知道哪個錯誤。例如。如果bob1@provider.com將他的用戶名錯誤鍵入為bob2@provider.com,並且確實存在另一個用戶bob2@provider.com。
@MarkBeadles ...登錄實體將不知道用戶名是否有效?您可能需要再解釋一遍...
1. BOB1@PROVIDER.COM將id錯誤鍵入為“ BOB2@PROVIDER.COM”,並正確鍵入了他(自己的)密碼2。用戶BOB2存在於用戶store3中。登錄實體認為BOB2輸入了錯誤的密碼,而實際上BOB1輸入了用戶名。
I would agree that it is for security reasons. **I don't know any website where the username is supposed to be secret.** As an example: Google does the "Username and/or Password Invalid" thing but you can still find out if a username exists (by trying to register it).
AilirjdriaCMTãoPortela, but the creation screen is guarded by captcha. Thats the difference.
Occam的Razor說:程序員很懶。 :)
AilivxyzfxCMTãoPortela not all systems allow you to self-register automatically.
Because hackers can easily hack the accounts if they know any one thing correctly
AilitbuuixCMT fair point (I had forgotten about that). Still: your username is your email, which makes it very much public.
@Affe是的,但是您在帶有公共用戶名的系統中仍然看到此行為,其中“出於安全性考慮”的推理不適用。因此,肯定有另一個原因……也許僅僅是因為其他所有人都在這樣做。
Even if system allows to check if account exists in some other way, this would still slow down bruteforcing by amount of those requests.
@JoãoPortela,請考慮以下問題:如果gmail允許您確定是否存在沒有驗證碼的用戶ID,則他們將允許垃圾郵件發送者以一種方式來獲取合法的電子郵件帳戶。沒錯,如果在某些情況下用戶ID是完全公開的,那麼按照慣例很可能是這樣。為什麼您的網站代碼不支持這兩種情況?
AilirogugjCMT In the mean time I read [ExpectoPatronum](http://security.stackexchange.com/a/17857/2304) and similar ones and it makes a lot more sense. I just wasn't buying the whole: "after they know the username they just have to guess the password" thing.
AilihqeauoCMT In the case of Google, the captcha is there for signing up (like submitting the form), the validation is done via AJAX. You can see the URL, and the POST parameters, and the headers, so the hidden usernames are not the issue.
AilieuqzsdCMT The possibility of the user mistyping the username and submitting is extremely rare. Divide it by a billion and get the possibility of the mistyped username matching the one of another user. However, when the user base is huge (like Google's or Yahoo's) the possibility of this happening is higher. But even then, when bob1 mistypes bob2, without knowing he's actually bob1, the site could say "Password invalid for bob2" and the user will get the problem.
一些網站會在註冊時告訴您您提供的電子郵件地址是否已經存在於他們的系統中(有時會指向密碼重置功能)。任何人都可以闡明這是如何使惡意用戶無法找到有效用戶名的另一種方式嗎? (我不是在這裡僅在談論信息豐富的JavaScript提示等)
只是增加了更多:Facebook實際上會告訴您用戶名不存在的時間。 :)
Microsoft也是如此:“ *該Microsoft帳戶不存在。輸入其他電子郵件地址或獲取一個新帳戶。*” /“ *該密碼不正確。請確保您使用Microsoft帳戶的密碼。*”