April 6, 1995, updated April 12, 2003.

Here is an item good for a five-minute recitation discussion:

When a person fails to log in properly, should the response simply be "login failed", or should it be more specific, distinguishing between "user unknown" and "wrong password"?

This raises a security opportunity on the one hand, versus a human engineering consideration on the other.

The security opportunity is to deny hackers the ability to confirm guesses of user names on your system.

The human engineering consideration is that when a legitimate user gets a rejection notice, that user doesn't have a clue which of many things might have gone wrong:

• mistyped user name
• mistyped password
• case mismatch on user name
• case mismatch on password
• lost characters in transmission
• intruder or system administrator changed the password
• system administrator removed user
• system has forgotten about user

Knowing for sure that the system didn't recognize the user name (or that it didn't like the password) helps reduce the number of possibilities, and the ensuing confusion.

This is an example where the reflex answer of most security designers is to hassle potential attackers by revealing nothing. But the consequent complaints of user-unfriendliness from legitimate users are usually so intense that most systems have decided that the extra increment of security is not worth it.

Here is a closely related design issue: If a user gives the wrong password several times in a row, what should the system do?

The reflex answer of most security designers is "Assume that someone is trying a dictionary attack, and disable that account." The assumption is that if the errors were legitimate, the account owner will shortly show up at the administrator's office to report the lost password, or repeated fumbling, or whatever, and the administrator can reinstate the account.

But what is the down side? This policy becomes an invitation for an attacker to perform a denial-of-service attack on an individual. Just choose a time when that individual would find it inconvenient to do a personal visit to the system administrator (for example, the individual just embarked on a business trip) and then perform enough login attempts to cause the account to be disabled.

This problem is of special concern for eBay, because its auctions have deadlines, and to place a bid one must first log in. If there are two bidders interested in an item, as the deadline approaches one bidder could interfere or even prevent the other from posting a higher bid by issuing bogus logins to force the other bidder's account to be disabled.

My understanding is that eBay does not disable user accounts for which a dictionary attack appears to be in progress.