SitePoint Sponsor

User Tag List

Results 1 to 25 of 25
  1. #1
    SitePoint Guru ripcurlksm's Avatar
    Join Date
    Aug 2004
    Location
    San Clemente, CA
    Posts
    859
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Ajax forms -- Check Username availability -- security issue? privacy issue?

    We've all seen Ajax forms for usernames, where as you type it tells you if that username has been taken. This is a great feature but I can see it as a flaw in security in some situations.

    For me, I have a private database of users in an industry that is large, but for the most part big wigs are well known. And I could see:

    1) some users trying to register, "testing" usernames by company name or by first initial/last name to see who is subscribed.

    and

    2) if i am trying to hack a site, if the username is figured out, 1/3 of the battle is won. The other 2/3 being tryin to crack arkinstalls's salted sha1(md5()) password

    Now on any form, if a username is already taken, it will prompt you saying its taken, but at least you had to submit the form. With ajax username input boxes it seems like some ppl can discover a lot of discreet information by just typing.

    Thoughts?

  2. #2
    SitePoint Member perkolate_jason's Avatar
    Join Date
    Sep 2008
    Location
    Las Vegas, NV
    Posts
    23
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The same server side security principles for non-AJAX web apps should apply. Check that posts are coming only from your own server, validate input values, limit the number of allowed posts/requests per IP per time block, etc.

    A captcha check validating on the client form and server ajax response for the requesting page along with the other validations might be a good solution to stop bots from checking for taken usernames.

    I am curious what others can recommend.
    Perkolate
    Las Vegas Web Design and Web Development
    http://www.perkolate.com
    http://blog.perkolate.com

  3. #3
    SitePoint Enthusiast
    Join Date
    Dec 2004
    Location
    china
    Posts
    52
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    if i am trying to hack a site, if the username is figured out, 1/3 of the battle is won. The other 2/3 being tryin to crack arkinstalls's salted sha1(md5()) password
    you can also find tons of username by browsing the website itself. say i know your username is ripcurlksm .

  4. #4
    SitePoint Guru ripcurlksm's Avatar
    Join Date
    Aug 2004
    Location
    San Clemente, CA
    Posts
    859
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    that is a good point. but this is a private login system where users are not shown to other users. you browse a database of information privately.

  5. #5
    SitePoint Enthusiast robertss's Avatar
    Join Date
    Mar 2008
    Posts
    32
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It is definitely a security issue but if you take other security measures like the ones that perkolate_jason mentioned, it is highly unlikely anyone would be able to use it to hack the system. For privacy, I would recommend using just usernames instead of First and Last names though.
    Last edited by robertss; Sep 23, 2008 at 05:55. Reason: Grammar

  6. #6
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I don't think there is any issue. It is the same as submitting the form and having it tell you the name is taken, just presented differently.

    A bot programmed to get this information could work with either, it wouldn't make a difference at all.

  7. #7
    SitePoint Addict chestertondevelopment's Avatar
    Join Date
    Dec 2005
    Location
    Essex, UK
    Posts
    241
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Surely it doesn't make any difference if it's an AJAX check or not? You would be checking the username does not exist when the form is submitted anyway?

    If usernames are that much of a concern, use email addresses for login and then their full name when displaying on the site. I suppose the way facebook does it.

    As recommended before, you should definitely set up IP throttling, 5 login attempts every 20 minutes or something.

  8. #8
    One website at a time mmj's Avatar
    Join Date
    Feb 2001
    Location
    Melbourne Australia
    Posts
    6,282
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ripcurlksm View Post
    that is a good point. but this is a private login system where users are not shown to other users. you browse a database of information privately.
    I guess that kind of answers the question. That is, on a public forum like SitePoint where member names are freely available and there is no expectation that they would be kept private, it is fine to make them available via AJAX. But on a site where the member names are supposed to be kept private and confidential, making them available via AJAX in this way is not at all acceptable.

    Obvious examples of the latter would be online banking sites, utilities accounts, newsletter subscriptions, etc, where you expect that regardless of your chosen account name, the fact you are a member is not going to be advertised to the world.

    However, it's rarely a problem. Those types of sites don't usually require you to submit a name by which you can be identified, and yet check to see if any other member already has that name.
    [mmj] My magic jigsaw
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    The Bit Depth Blog Twitter Contact me
    Neon Javascript Framework Jokes Android stuff

  9. #9
    phpLD Fanatic bronze trophy dvduval's Avatar
    Join Date
    Mar 2002
    Location
    Silicon Valley
    Posts
    3,626
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    I think the more important part is making sure the users have a secure password. Allowing less than eight characters, and not including both numbers and letters, would make it more likely that user accounts could be compromised.

  10. #10
    SitePoint Evangelist
    Join Date
    Jun 2005
    Posts
    436
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Usernames are the public part of someone's login.

    Besides that, I don't see how AJAX contributes to the "problem." If it really is a problem, it's been a problem for years.

    e39m5

  11. #11
    Trash Boat mkoenig's Avatar
    Join Date
    Aug 2007
    Posts
    1,232
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Maybe... if you mean to protect your user list, but otherwise its ok.

    Same thing could be said for password resend or reset.

  12. #12
    SitePoint Addict myrdhrin's Avatar
    Join Date
    Jul 2004
    Location
    Montreal
    Posts
    211
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Checking user names availability makes sense when the user name itself is a known identifier and you want it to be unique.

    If you want the whole thing to be private I would not even care about having a unique user name I'd go with the email address and allow the user name to be in a domain or something similar.

    That being said, what Perkolate said is very important too.
    Jean-Marc (aka Myrdhrin)
    M2i3 - blog - Protect your privacy with Zliki

  13. #13
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dvduval View Post
    ...[least] eight characters, and not including both numbers and letters...
    Don't forget special characters. In fact do not limit what characters they can enter, one is probably going to hash it anyways.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  14. #14
    SitePoint Wizard
    Join Date
    Apr 2007
    Posts
    1,399
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I agree this is not related to AJAX at all. If the user name is already taken, you need to inform the user to pick a different id. If you're really worried about security, then you should not store "password" as plain "text". I'm willing to bet that their are users who used same "id" and "password" for their e-mail account. So, I recommend 1 way encryption method. I even heard that someone sue some website that had 2 way encryption or plain text.

  15. #15
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by sg707 View Post
    So, I recommend 1 way encryption method. I even heard that someone sue some website that had 2 way encryption or plain text.
    There is no such thing as '1 way encryption' - it is called hashing. It is a different process to encryption, although it's easy to see why some people think they are the same thing.

    In encryption, the original string is recoverable.

  16. #16
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could require that usernames not be based on real names or business names. They might then become meaningless to anyone harvesting them.

  17. #17
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ajax does open a small (but insignificant) hole if the form requires a CAPTCHA to be completed before submitting. Provided that the CAPTCHA is not broken, the Ajax request URL would be the only method to check if a username exists by automated means.

    Though, it really shouldn't matter in the majority of situations.

  18. #18
    Floridiot joebert's Avatar
    Join Date
    Mar 2004
    Location
    Kenneth City, FL
    Posts
    823
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think this is going a little overboard as far as security is concerned.

    An attacker can get the same information just by trying to signup and getting a name taken response. AJAX doesn't expose any information the normal signup form wouldn't.

    If you want to argue about ease of use, you should really get off of the Internet and only do business face-to-face right now.

  19. #19
    SitePoint Enthusiast
    Join Date
    Sep 2008
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If knowing usernames is a weak point in your system security, I think you have to worry about the whole system.

    Add a delay of 15mn after 4 or 5 attempt to login. Even some alert to the admins or the user concerned after 10 or 20.
    Use some password strength verification when your user change it so you don't have anybody using their login as password.
    After that, having a list of usernames won't be 1/3 of the path to hack into your app.

  20. #20
    One website at a time mmj's Avatar
    Join Date
    Feb 2001
    Location
    Melbourne Australia
    Posts
    6,282
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Arkh View Post
    If knowing usernames is a weak point in your system security, I think you have to worry about the whole system.

    Add a delay of 15mn after 4 or 5 attempt to login. Even some alert to the admins or the user concerned after 10 or 20.
    Use some password strength verification when your user change it so you don't have anybody using their login as password.
    After that, having a list of usernames won't be 1/3 of the path to hack into your app.
    I don't think this is really a security issue, but more of a privacy issue. As you said, if your security relies on usernames then you have other things to worry about.

    And it only becomes a privacy issue if you tell your users their username will be kept private. Therefore it doesn't apply to anything like public forums, like the SitePoint forums, where there is no such expectation that usernames will be private.

    If you tell people that the username they enter will remain private, such privacy doesn't hold up if your site does a duplicate username check. A person signing up, having believed their username would be kept private, might use something not-so-anonymous as their username, like their real name, or a handle they are commonly known for. They may do this, believing that it's safe to use their true name or well-known usernae since it will not be publicly viewable. However, if a site does a duplicate username check, other people can then easily check if that person is a member.

    It is a problem that is not to do with AJAX in particular, as so many have said already.

    Let's not blow the problem out of proportion. The most you could find out is whether someone with a certain known username is a member of the site. But it is still a fair point. You shouldn't tell your users their username will be kept private if you don't allow duplicate usernames, because the act of not allowing duplicate usernames gives away which usernames are already members.
    [mmj] My magic jigsaw
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    The Bit Depth Blog Twitter Contact me
    Neon Javascript Framework Jokes Android stuff

  21. #21
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,099
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I look at it this way, a user name was never the secure part. Try to get a name for a gmail account, you will have to try 7 or more times (time delay would be counter productive with finding a gmail name) to get a good name and guess what? you now know 7 email addresses from gmail that you can try to hack your way into.

    The password is where the security comes in, mix upper, lower, numbers and special chars for a total of 8 non dictionary terms and no one is getting in. Actually 5 chars would keep them busy pretty much forever.
    What I lack in acuracy I make up for in misteaks

  22. #22
    SitePoint Addict jtresidder's Avatar
    Join Date
    Nov 2003
    Location
    Southampton, UK
    Posts
    345
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'd say that it was the responsibility of the user to choose their own level of anonymity with their username, but that we as web developers should advise them for the sake of being helpful. It's much like choosing a password - 'a' is a perfectly acceptable password for something that a user doesn't feel requires a password*, but as web developers we usually try to stop them doing things like that.

    With a username, if there's an obvious public element to the site such as a forum, I don't think it's even worth mentioning. If it was something like a business site, I recommend to clients that they put a note next to the username form field pointing out that they might like to anonymise themselves.

    Not that it's ever come up, but if it was something really controversial, I'd probably recommend forcing the issue by adding random digits to the end of the username (ie, 'jtresidder629').

    * Newspaper websites that require a login to read for example. If bugmenot doesn't have a login for it, I'll create the simplest login the site allows me to with a throwaway email address, submit it back to bugmenot, and if people can guess it, so much the better.

    Quote Originally Posted by Stormrider View Post
    There is no such thing as '1 way encryption' - it is called hashing. It is a different process to encryption, although it's easy to see why some people think they are the same thing.

    In encryption, the original string is recoverable.
    Whether or not something has to be unencryptable to be called encrypted is far from clear-cut; I've seen cases for both without looking specifically (from the same source, even). To me it makes no sense to add a restriction to the definition when it's not required - that just makes the word less versatile. I'd say hashing was a specific sub-set of encryption that precludes decryption, but that it was still encryption.

  23. #23
    One website at a time mmj's Avatar
    Join Date
    Feb 2001
    Location
    Melbourne Australia
    Posts
    6,282
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by nasirch View Post
    How can it cause a privacy issue as it only tells that wether a user name is availible are not?...
    It didn't tell how is the oner of that user name....

    isn't so....
    Let's say you have a friend and you want to find out if he is a member of a website that he'd probably rather you didn't find out he was a member of.

    The website doesn't display a list of members, however, it enforces that two users can't have the same username. So all you have to do is start trying usernames your friend usually uses, or combinations of their name, and you can find out if they are a member.

    That's the privacy factor. And obviously, as I said before, it doesn't apply to a lot of sites. A lot of sites make it obvious that your username is not going to be kept secret, and therefore people will be able to make that choice as to how anonymous they'll be. The issue would be if the site tried to claim that your username is kept secret, which might tempt people not to anonymise their username.

    A similar (and worse, IMO) privacy problem is if a site notices that you are using the same email address of someone who is already a member, and shows that somehow, either with a message or not letting you submit the form. That would be an easy way of finding out if someone you know is a member of some site - you just try signing up with their email address. A more private way to handle it would be just to act like it's creating an account anyway, and only put information about what happened in the email that goes out, as in "did you realise you're already a member? Here's how you reset your password" and so on.
    [mmj] My magic jigsaw
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    The Bit Depth Blog Twitter Contact me
    Neon Javascript Framework Jokes Android stuff

  24. #24
    SitePoint Zealot
    Join Date
    Jan 2007
    Location
    Australia
    Posts
    137
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Strictly speaking, if it's a private login system, this feature represents a vulnerability.

    Of course, it's not quite as dramatic. Login forms that alert on "username not exists" and then on "password incorrect" serve the same effect; I've seen people protect login forms with CAPTCHAs for this purpose.

    Maybe this is a privacy issue. It should definitely be protected by a CAPTCHA so that it can't be automated. It's not a physical security vulnerability, just a logical vulnerability in your enforcement of your security policy.

    But at the end of the day, it's more or less meaningless. Your largest threat is your user (social engineering), and maybe XSS. If you httponly your cookies and filter input in your application, you have better things to worry about than this feature of your signup form. No application can be perfectly secure; you surrender the luxury when you start building for the web. But this is a reasonable compromise.

  25. #25
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Why not do the same thing banks do (at least the ones that I am familiar with) - rather than allowing users to choose their own logonName, generate one for them. That way you can ensure that no private information can be deduced from logonName


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •