[WEB SECURITY] Looking for advice about questionable web application practice.

Burton, Jim JBurton at mt.gov
Tue Oct 9 12:16:18 EDT 2012

Our state's Governor's office recently started a health clinic for state employees. This clinic, run by a third party, set up a web site to allow users to set up appointments at the clinic and to provide private health information.

When setting myself and my family members up, I was startled to get a warning saying that the password I wanted to use was not available, and I needed to choose another one.

Understand that this _wasn't_ because it failed to meet password criteria, but because that particular password was already in use!

In fact, I wanted to use the same password for my children's accounts, since they are under age I will be setting up their appointments anyway. I entered the same password as for my account, and received this error message "That password, XXXXXXX (the password was shown on screen!) is already in use. Please choose another"

I raised my concerns about this to the third-party provider, and was told they are requiring "unique usernames and passwords for enhanced security"

I replied that, since the web application is helpfully telling me that a password is already in use, and would also tell me that a username is already in use, I could develop a dictionary attack to build a list of known passwords and usernames, put the two together, and be able to access accounts. This would provide me with social security numbers and health-related information about other users.

I raised this issue with our state security officer, who told me they were told not to comment.

Am I out of line here? I'm a Unix server admin, not a security pro, so I am certainly not up to date on best practices for Web apps. But this "unique password" idea strikes me as a severe problem.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20121009/74ce05d3/attachment.html>

More information about the websecurity mailing list