Skip to content

Instantly share code, notes, and snippets.

@burgil

burgil/overcome-login-account-list.md

Last active April 15, 2024 00:59
Show Gist options
  • Save burgil/9d4dadfbbfd16021845cb97a600b7481 to your computer and use it in GitHub Desktop.
Save burgil/9d4dadfbbfd16021845cb97a600b7481 to your computer and use it in GitHub Desktop.
Download ZIP
Bullet Proof Login, Register and Forgot Pass System
Raw
overcome-login-account-list.md

Bullet Proof Login, Register and Forgot Pass System:

Login

  • Valid email + valid password = login success
  • Valid email + invalid password = incorrect details error
  • Unregistered email + some password = incorrect details error

Register

(The tricky part where the magic happens)

  • Used already registered email = telling the user an email confirmation has been sent - but no email is sent
  • Used a new email = telling the user an email confirmation has been sent - and really send it

Forgot Pass

  • Enter registered email = if you have an account an email has been sent to you
  • Enter incorrect email = if you have an account an email has been sent to you

This way the attacker can't tell

  • Also every route should be rate limited globally regardless if it's an email sent or not, or a new IP, read more on how to do it on the next bullet points
  • Avoid allowing others send confirmation emails to others in a spammy way - a global rate limit for the email itself and not the IP should exist
  • Avoid allowing others to attempt to login too many times from the same IP and to the same user (two different rate limits) - This way if the attacker switches IP the account username/email itself is still under rate limit

Bad register example

  • Used an already registered email = email already in use error
  • Used a new email = sent email confirmation
@burgil
Copy link
Author

burgil commented Apr 15, 2024
edited

People always say that a way for someone to generate a user list on your app is a big security vulnerability.

  • Yet some websites let you enter a email associated with an account, and it will take you to the password page if the email is registered, if the email is not registered it will take you to a sign-up page.

Why is this happening? And how can this be solved?

  • Usually developers are not security experts, and when they implement login pages they often contain common vulnerabilities
    exposing them vulnerabilities is not a good idea in my opinion tho fyi

  • I agree with the saying that the login, forgot pass and register pages shouldn't tell people if there is already an account going by this username.

  • But when you really think about it how can one register to a website without knowing if his email is already taken or not in order to register?

  • Should the login just say something went wrong when an email that is already in use - is used?

Those are good questions

Implementing rate limits on the login can help to kind of solve the problem, or at least, delay it, but not to truly eliminate it.

This is why this gist exists, to help you conquer this problem and eat it for breakfast 😎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment