--On Saturday, April 5, 2003 2:33 PM -0500 Susan Olson <[EMAIL PROTECTED]> wrote:
My question�what is the best way to handle �feedback� for users attempting to access an account that is already logged-on? Currently, users get a message stating that the account that they are attempting to use is already logged-on. I am not comfortable with this because it lends to the possible harvesting of valid UserIDs & Passwords by an �evil doer.� Also, I have a similar issue with the �feedback� given to users when an account is locked out��Your account is currently locked out, please contact an administrator� in that I only get this message when I have entered a valid User ID & Password for an account that is locked out � seems to facilitate harvesting as well.
If anyone could provide me with some ideas/strategies, etc. on how to implement this securely I would greatly appreciate it!
No specific suggestions besides the obvious: change the error messages so that they are all the same. (Something along the line of "This username/password combination in not valid at this time." It is true in all cases...)
The problem of course is debugging. You may want to put in error codes for debugging (though a smart attacker could figure the error codes out and then you are back where you started. Still, it would be useful *before* you deploy at least, and you could remove them at the end of a debug cycle.)
The other problem is if you have an attacker smart enough to check timing differences. If the time to decide one case is detectably different then the other that allows an avenue of opportunity. It may happen that all differences are indistinshable from network latency variations, but you would want to be sure...
Daniel T. Staal
--------------------------------------------------------------- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---------------------------------------------------------------
top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.securityfocus.com/SurfControl-pen-test
