catching login errors

[dbv]

The login function catches both incorrect username and password entries and redirects to 'fail_redirect'.  In case of failure, the calling program doesn't know whether the username or password or both caused the failure which means that a relevant error message for the user cannot be displayed.  Is that right?

[Federico Ceratto]

Spot on. It's a basic security feature.
Given the speed of today's servers, it would be easy to run a dictionary attack
against the most used usernames and then try the most used passwords against
the valid username.

1mln usernames could be tried out against a service that can handle
100 logins per second in less than 3h.

By checking both username and password together this attack becomes unfeasible.

Bye,
--
Federico

[dbv]

Gotcha.

Funny though, checked the login error process for two (paid) services I'm subscribed to and both show different error messages for username and password entry errors.  Guess they are ripe for being attacked.

[Federico Ceratto]

Yes, unfortunately it's very common for services not to protect their
customers from dictionary attacks like this.
Sometimes login requests are throttled but only based on the source IP address.

--
Federico

[dbv]

Yep.  One reason why we are using email/password combination only (see previous note).  The email address can be verified, the password is encrypted and only thing that can be reset.

[dbv]

To test the capture of the returned True or False in the login() function of the simple_webapp.py example, added the 'success_or_fail' assignment:

@bottle.post('/login')

def login():

    """Authenticate users"""

    username = post_get('username')

    password = post_get('password')

    success_or_fail = aaa.login(username, password, success_redirect='/', fail_redirect='/login')

    print 'login success or fail:', success_or_fail

But, the success_or_fail value doesn't print.  Any idea why?

 

[Federico]

> But, the success_or_fail value doesn't print.  Any idea why?

In order to perform the redirection, Bottle uses an exception. The login function never returns.
Remove the redirect if you want to handle the output value.

--
Federico

[dbv]

To make it easier to handle exceptions in an application it would be better to remove success_redirect and fail_redirect from the login(), logout() and require() functions.  Send a success (True) or fail (False) back to the application which can then perform the appropriate redirect.