How you should respond to authentication failures isn't universal

February 12, 2025

A discussion broke out in the comments on my entry on how everything should be able to ratelimit authentication failures, and one thing that came up was the standard advice that when authentication fails, the service shouldn't give you any indication of why. You shouldn't react any differently if it's a bad password for an existing account, an account that doesn't exist any more (perhaps with the correct password for the account when it existed), an account that never existed, and so on. This is common and long standing advice, but like a lot of security advice I think that the real answer is that what you should do depends on your circumstances, priorities, and goals.

The overall purpose of the standard view is to not tell attackers what they got wrong, and especially not to tell them if the account doesn't even exist. What this potentially achieves is slowing down authentication guessing and making the attacker use up more resources with no chance of success, so that if you have real accounts with vulnerable passwords the attacker is less likely to succeed against them. However, you shouldn't have weak passwords any more and on the modern Internet, attackers aren't short of resources or likely to suffer any consequences for trying and trying against you (and lots of other people). In practice, much like delays on failed authentications, it's been a long time since refusing to say why something failed meaningfully impeded attackers who are probing standard setups for SSH, IMAP, authenticated SMTP, and other common things.

(Attackers are probing for default accounts and default passwords, but the fix there is not to have any, not to slow attackers down a bit. Attackers will find common default account setups, probably much sooner than you would like. Well informed attackers can also generally get a good idea of your valid accounts, and they certainly exist.)

If what you care about is your server resources and not getting locked out through side effects, it's to your benefit for attackers to stop early. In addition, attackers aren't the only people who will fail your authentication. Your own people (or ex-people) will also be doing a certain amount of it, and some amount of the time they won't immediately realize what's wrong and why their authentication attempt failed (in part because people are sadly used to systems simply being flaky, so retrying may make things work). It's strictly better for your people if you can tell them what was wrong with their authentication attempt, at least to a certain extent. Did they use a non-existent account name? Did they format the account name wrong? Are they trying to use an account that has now been disabled (or removed)? And so on.

(Some of this may require ingenious custom communication methods (and custom software). In the comments on my entry, BP suggested 'accepting' IMAP authentication for now-closed accounts and then providing them with only a read-only INBOX that had one new message that said 'your account no longer exists, please take it out of this IMAP client'.)

There's no universally correct trade-off between denying attackers information and helping your people. A lot of where your particular trade-offs fall will depend on your usage patterns, for example how many of your people make mistakes of various sorts (including 'leaving their account configured in clients after you've closed it'). Some of it will also depend on how much resources you have available to do a really good job of recognizing serious attacks and impeding attackers with measures like accurately recognizing 'suspicious' authentication patterns and blocking them.

(Typically you'll have no resources for this and will be using more or less out of the box rate-limiting and other measures in whatever software you use. Of course this is likely to limit your options for giving people special messages about why they failed authentication, but one of my hopes is that over time, software adds options to be more informative if you turn them on.)

Comments on this page:

By sapphirepaw at 2025-02-13 08:45:44:

Probably less of a concern for IMAP, but in a web app, one must take care to hide the information completely. I was recently at a site that wouldn't say whether the provided email was valid for password reset, but would reveal it was in use when trying to create a new account.

(Turns out, their authentication system was just broken for a while. I never did get that email, and it began accepting my same old login a couple hours later.)

By BP at 2025-02-13 09:38:20:

sapphirepaw, as I commented on the previous entry Chris refers to: with IMAP there's a good chance an SMTP server is effectively leaking data about IMAP account existence. Or it could be a web-mail server, POP3, SSH, Kerberos, whatever; in any type of "single sign-on" situation, if the administrator really cares about hiding this, the system as a whole would need to be considered. (And at some level of paranoia, one may as well deal with the pain of installing client certificates, and then usernames hardly matter.)

If what you care about is your server resources and not getting locked out through side effects, it's to your benefit for attackers to stop early.

I wonder whether attackers would actually stop probing an account on a "no such account" error. After all, it could be bullshit (to hide account existence).

Tar-pitting is a possibility to consider, closely related to rate-limiting. Make a dummy "root" or "admin" account with an easily-guessed password, no access to anything that matters, and that operates incredibly slowly. Process a packet every minute or so, just quickly enough to keep the connection up and hopefully "distract" the scanner from other systems and accounts. Except, I don't know whether this actually works, or merely amuses network administrators.

BP suggested 'accepting' IMAP authentication for now-closed accounts and then providing them with only a read-only INBOX

But only for clients not respecting the "authentication failed" message. My general preference would be to act in the "expected" way, for well-behaved clients.

By cks at 2025-02-13 15:36:37:

I think that broadly, the threats are different if you have 'external' accounts rather than purely 'internal' ones. If you have only internal accounts, who has an account is probably not a secret, or not very much of a secret for most cases (an extremely high security system might not want to give away information on who has access to it). If you have external accounts, whether or not a given person (eg, an email address) has an account may be sensitive information, and their visible account identity might be even more sensitive.

Written on 12 February 2025.
« A surprise with rspamd's spam scoring and a workaround
'Internal' accounts and their difference from 'external' accounts »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal.
Search:
Login: Password:
Last modified: Wed Feb 12 21:55:07 2025
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.