[wp-hackers] Limit Login Attempts

Otto otto at ottodestruct.com
Thu Apr 25 00:07:26 UTC 2013


On Wed, Apr 24, 2013 at 6:20 PM, Mark Costlow <cheeks at swcp.com> wrote:
> One of our customer sites had a related problem today.  A brute-force
> attacker can learn the names of any potential admin users by sending
> GET requests for /?author=N where N is a user number.

First, note that users without published posts will not get the
redirect from the ?author=N requests. Only published authors will. So
don't publish using admin credentials and this is mitigated.

On a wider note, however, usernames are not meant to be considered
private information, and efforts to hide or treat them as private are
misguided and potentially harmful. I realize that this is
counter-intuitive, so allow me to explain:

Let's consider the consequences if usernames were intended to be
"hidden" information. If the username was considered secret, then the
total attack-surface for brute forcing a password would increase,
because now the attacker must learn both the username and the password
to gain entry. Instinctively, one might think of this as a good thing,
but you have to factor in the human element as well.

For years and years and years, the tech community as a whole has tried
to drive home the point of "choose a good password". At least some
users have done this, and the point is well received. However, nobody
has ever really said "choose a hard-to-guess username too". It's not a
point to be driven home, and it's not intuitive. People tend to use
simple, alphabetic usernames. So from a security standpoint, treating
the username as "sensitive info" is problematic.

More to the point, if we assume the user has a good password to begin
with, then having an easy to find username doesn't really help the
attacker any. It's already basically impossible to brute force a
"good" password. Adding the username to it really is identical to
increasing the password length, but the problem is that people haven't
had "choose a hard username" drilled into them. So the username's
"difficulty" level isn't anywhere near what they're likely to pick for
a password. A username is, essentially, an extremely poor password,
given normal human behavior.

So, treating usernames as secret is a bad idea, because it adds user
confusion. If they already have a good password, then their username
doesn't really matter. Asking them to choose a difficult username too
adds complexity, and people are bad at complexity. If you increase the
security requirements too much, you end up with the "password on a
post-it note on the monitor" syndrome. You need to balance good advice
with how likely people are to actually take that advice.

Additionally, many modern webservices have eschewed usernames
entirely, in favor of email addresses. Google, Facebook, etc, these
have no user names at all. Finding out an email address is easy (you
can see mine in this email, after all). Does the fact that you know my
email address make it any easier for you to crack my GMail account?
I'm guessing not, because I have a good password (and I use 2-factor
auth, but that's beside the point).

Yes, the username can sometimes be gotten from an ?author=N method.
But it can be gotten in other ways too. And, it's irrelevant except in
a targeted attack, and that sort of attack is doomed to failure if the
password is a good one to begin with. Encourage good password
selection, and don't confuse users by encouraging extra and somewhate
unnecessary security measures as well.

That's my 2 cents.

-Otto


More information about the wp-hackers mailing list