[Cryptography] Order of username and password entry
Robin Wood
robin at digi.ninja
Tue Apr 6 03:21:36 EDT 2021
>
>
>
> Proper design - for as long as people have talked about proper design for
> username/password handling - is to *never* log a failed username anywhere,
> exactly because this kind of inversion is a very common failure mode.
>
What about handling password brute force attacks? If you don't log the
username then how can you tell who has been attached?
You could keep a tally of failed login attempts on the user's account, but
you couldn't tie that directly to a specific attack unless you also logged
the time of each failure along with.
I'd have thought the incident response benefits of logging the username
outweighed the negatives. Especially as logging a password which was
submitted as a username wouldn't reveal the username so wouldn't be that
much use to someone who got hold of the logs. Unless the user logged in
straight after and you logged that, then the two could be tied together.
Robin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210406/10727306/attachment.htm>
More information about the cryptography
mailing list