[wp-hackers] Author URLs expose usernames
harry at dxw.com
Thu Jul 19 12:09:14 UTC 2012
On 19/07/12 08:52, Andrew Spratley wrote:
> I agree with Otto on this. Hiding usernames on the front end isn't
> going to get you much more real security. As has been demonstrated
> before, security by obscurity doesn't work long term. Usernames were
> never engineered to be hidden. Having strong passwords and mitigating
> brute force attacks is going to pay off for you in the long term.
I agree that the security of an individual account isn't much affected
by the username of that account being public, but that's not what I'm
talking about. I'm talking about the security of a whole (private) site,
across all its accounts. And, from that perspective, this approach is
Say you're trying to break into a site with 1000 users. With that number
of users, it is a virtual certainty that at least 1 or 2 accounts will
have very weak passwords (like "password" or "letmein"). Because it's a
private site and any account gets you in, you don't care which account
you break. You only need one.
Say you've guessed a few usernames based on publicly available
information, like known accounts on other sites. You might have 20
accounts to try. You try them, but you're looking for 1 or 2 sites out
of 1000. And they weren't within this 20.
Now say the site lets you enumerate all user accounts. I'm sure you can
guess the rest. With all the usernames, you'll definitely find the weak
ones. And with that number of accounts, there'll definitely be weak ones
I'm not saying that stopping username enumeration is going to completely
solve the problem of weak passwords. Of course, it won't. And it's far
from the only thing we do to protect sites -- in fact, after several
years of operating, we're only just getting around to this one. Because
we've had the simple, most effective things in place for ages (like
detection and blocking of brute force attacks, password audits, minimum
password lengths, etc).
But, we always seek to improve. This is a problem worth solving because
the presence of usernames in sites serves no particular user need. It is
something that can be removed without reducing the quality of the user
experience at all. It is something that *will* increase the security of
our sites. Not as much as other things, but we already do those things.
It's not about security through obscurity. It's about the difference
between knowing a few of a sort of thing, and all of a sort of thing.
It's the difference between the probability that the usernames you
happen to have correspond to the passwords you have, and the probability
that any existing username corresponds to the passwords you have. The
latter is much higher.
PS - I'd definitely endorse the idea of a gradually increasing delay
between failed login attempts. We might add that too :)
More information about the wp-hackers