[Owasp-cincinnati] Separating username and password

Edward Sumerfield esumerfd at bitbashers.org
Thu Oct 1 08:54:37 EDT 2009

Thanks for the evening meeting, very interesting.

One point we discussed was the separating of username and password
fields on two separate web pages and how this could be bad because the
failure to recognize a username was bad feedback to give to a hacker.

Anyway, it appears my bank has a slight change on this offering
username and password on separate pages with a user chosen image on
the second page but an invalid username on the first page still takes
you to the second page to enter a password.

So, in this case the only indication that the username is correct is
the existence of an image on the password page. Presumably, not all
users have selected an image so this may limit the exposure of the
username/password split.

Interestingly, unlike the yahoo image identification, the banks
doesn't appear to be tied to a browser so any hacker from anywhere
would receive the image if they used my username.

The use of identification images is protecting against spoof servers
while reducing the security for brute force attacks. I guess the fake
email attacks are more prevalent.


More information about the Owasp-cincinnati mailing list