Thursday, November 13, 2014

How Detailed Login Error Messages can Pose a Security Risk

How many times a day do we use user id's and passwords to log into different accounts?  Each time we do there is the potential to make a mistake.  From a capitalization error to the CAPS lock key being on without knowing it, typing too fast or simply using the wrong user id and password combination, there is much room for mistakes.  Sometimes creating a new user account can be difficult if you do not meet the password criteria.  Failed login attempts happen to everyone at some time, but what you may not know is the error messages implemented to help you log in make it easier for hackers to crack passwords.  Some of the most common generic error messages you might get for an incorrect login are:

  • Login failed
  • Incorrect user id and / or password
  • Incorrect user id and password combination.
  • Passwords are case sensitive
  • User id and password combination do not match our records

These generic error messages give little info to you or someone trying to get unauthorized access to your account.  While a more detailed explanation of why the login failed would be helpful to get logged in, it is also helpful to someone else trying to gain access to your account.  According to Wikipedia, "As of 2011, available commercial products claim the ability to test up to 2,800,000,000 passwords a second on a standard desktop computer using a high-end graphics processor.  Such a device can crack a 10 letter single-case password in one day."  This statistic is staggering, and gives a small glimpse into the tools someone out to get our personal information may use.

So what can you do to protect yourself?

If you are creating a new user account, or have a failed login attempt, and receive any of the detailed error messages in the list below, you should create or modify your password to one you do not use with any other account.  While it is always a good idea to use different passwords for each account, sometimes this can be daunting.  If you reuse any passwords, try to limit this to only a few accounts.  The more times you reuse a password, the more your information is at risk if just one of the accounts gets compromised.  For helpful information on creating passwords, read our "How to Choose Effective Passwords" post. 

Some detailed error messages to be wary of:
  • User id does not exist
  • Password is incorrect
  • Password may not contain special characters
  • Password may not contain dictionary words
  • Password must start with a letter
  • Password must start with a number
  • Password cannot end with a number
These errors are very specific, which will help you get logged into an account or create an appropriate password.  However, these messages also reveal detailed information about password formatting to anyone trying to sign in whether they are an authorized user or not.  For instance, reporting "Password is incorrect" verifies the user id exists, whereas "incorrect user id and password combination" reveals almost nothing except that the credentials do not work together.  When you reveal information like the "Password must start with a letter", you tell anyone with bad intentions to remove all special characters and numbers from the first character placement in their password cracking software.  Every piece of information about the password format narrows the password possibilities which in turn speeds up the time it might take to crack the password.  While sites give out what their password requirements are when creating an account, this is necessary or people would have to guess what was required.  Giving out password formatting beyond this, like real words are not allowed, or the password must start with a number, letter, or special character, should be considered a bigger risk to the security of your data.

The information different sites give out related to password formatting for password creation or failed login attempts is out of your control.  However, the user id's and passwords you create for these sites is in your control.  The best way to protect yourself is to be aware of what information is being given, what additional information is given as error feedback, and choose unique passwords for sites which appear to be giving out too much information.  These small steps will go a long way towards protecting this and every other account you have as well as your data security.

As always, keep your information safe, it is well worth the effort.

No comments:

Post a Comment