Response Processors: Login Processor: Incident - Site Login Username Scan

Complexity: Medium (3.0)

Default Response: 1x = Captcha and Slow Connection for 6 hours, 3x = Clear Inputs and Slow Connection for 1 day

Cause: The login processor is designed to protect the login dialog of the website. It works by monitoring all login attempts and identifying suspicious and malicious events. This specific incident is triggered when a user attempts to login against 16 or more different usernames with a small number of passwords for each.

Behavior: One flaw present in a lot of authentication implementations is that the results that are returned when submitting an invalid username and password are different then the results returned when the username is valid but the password is not. By enumerating over a large number of possible usernames and supplying bad passwords, the attacker is able to identify which usernames are actually valid in the system. This is one of the first steps to a large scale brute force attack. Once the user has a list of valid usernames, they can then launch the brute force attack against just those usernames to make the attack quicker and harder to identify. A best practice when developing authentication systems is to ensure that the results that are returned from an invalid username, are the same results returned when providing a valid username and invalid password. For example, the error should read "The username and password you supplied could not be found in our database", instead of "The username you provided does not exist".