You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In current mongoose-auth version, when trying to authenticate using the password module against an non-existent account, one gets an error "User with login... does not exist".
It's considered bad security practice to differentiate user authentication feedback based on existence of the given account (see: OWASP-AT-002.
An attacked may user the information to more effectively attack the site using e.g. brute force attacks since he can perform a lower cost enumeration of existing accounts.
Ideally, the mechanism should prevent an unauthenticated user from obtaining the information whether the given login corresponds to any account.
This includes active prevention against timing attacks - a random delay should be introduced during each unsuccessful authentication attempt so the attacker cannot analyze request/response timings and infer whether the account exists.
Without that, an attacker will receive a clear hint - a slightly shorter pause before the response since there's no hash checking when the account couldn't be found in the database.
The text was updated successfully, but these errors were encountered:
In current mongoose-auth version, when trying to authenticate using the password module against an non-existent account, one gets an error "User with login... does not exist".
It's considered bad security practice to differentiate user authentication feedback based on existence of the given account (see: OWASP-AT-002.
An attacked may user the information to more effectively attack the site using e.g. brute force attacks since he can perform a lower cost enumeration of existing accounts.
Ideally, the mechanism should prevent an unauthenticated user from obtaining the information whether the given login corresponds to any account.
This includes active prevention against timing attacks - a random delay should be introduced during each unsuccessful authentication attempt so the attacker cannot analyze request/response timings and infer whether the account exists.
Without that, an attacker will receive a clear hint - a slightly shorter pause before the response since there's no hash checking when the account couldn't be found in the database.
The text was updated successfully, but these errors were encountered: