Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Re: [WEB SECURITY] Looking for advice about questionable web application practice.

LJ
lee jimmy
Wed, Oct 10, 2012 1:25 AM

Hi, Jim

It is ridiculous that the password can only be used by one user. As you
said that it is easy to make a username and password list. And the system
must have a password list, too. Password should be only known by user
itself. Even the system administrator should not know any password of the
any user. But , for this system, administrator can get all password list.
For many web system, even a user fail to login, whether the username or
password is valid not should not be disclosed. Your concern of the system
is really an issue.

Once the list come out, it is easy to guess the password by try to login.

Regards

-Jimmy

From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] *On
Behalf Of *Burton, Jim
Sent: 2012年10月10日 0:16
To: 'websecurity@lists.webappsec.org'
Subject: [WEB SECURITY] Looking for advice about questionable web
application practice.

Our state’s Governor’s office recently started a health clinic for state
employees. This clinic, run by a third party, set up a web site to allow
users to set up appointments at the clinic and to provide private health
information.

When setting myself and my family members up, I was startled to get a
warning saying that the password I wanted to use was not available, and I
needed to choose another one.

Understand that this wasn’t because it failed to meet password
criteria, but because that particular password was already in use!

In fact, I wanted to use the same password for my children’s accounts,
since they are under age I will be setting up their appointments anyway. I
entered the same password as for my account, and received this error
message “That password, XXXXXXX (the password was shown on screen!) is
already in use. Please choose another”

I raised my concerns about this to the third-party provider, and was told
they are requiring “unique usernames and passwords for enhanced security”

I replied that, since the web application is helpfully telling me that a
password is already in use, and would also tell me that a username is
already in use, I could develop a dictionary attack to build a list of
known passwords and usernames, put the two together, and be able to access
accounts. This would provide me with social security numbers and
health-related information about other users.

I raised this issue with our state security officer, who told me they were
told not to comment.

Am I out of line here? I’m a Unix server admin, not a security pro, so I am
certainly not up to date on best practices for Web apps. But this “unique
password” idea strikes me as a severe problem.

Jim

Hi, Jim It is ridiculous that the password can only be used by one user. As you said that it is easy to make a username and password list. And the system must have a password list, too. Password should be only known by user itself. Even the system administrator should not know any password of the any user. But , for this system, administrator can get all password list. For many web system, even a user fail to login, whether the username or password is valid not should not be disclosed. Your concern of the system is really an issue. Once the list come out, it is easy to guess the password by try to login. Regards -Jimmy *From:* websecurity [mailto:websecurity-bounces@lists.webappsec.org] *On Behalf Of *Burton, Jim *Sent:* 2012年10月10日 0:16 *To:* 'websecurity@lists.webappsec.org' *Subject:* [WEB SECURITY] Looking for advice about questionable web application practice. Our state’s Governor’s office recently started a health clinic for state employees. This clinic, run by a third party, set up a web site to allow users to set up appointments at the clinic and to provide private health information. When setting myself and my family members up, I was startled to get a warning saying that the password I wanted to use was not available, and I needed to choose another one. Understand that this _*wasn’t*_ because it failed to meet password criteria, but because that particular password was already in use! In fact, I wanted to use the same password for my children’s accounts, since they are under age I will be setting up their appointments anyway. I entered the same password as for my account, and received this error message “That password, XXXXXXX (the password was shown on screen!) is already in use. Please choose another” I raised my concerns about this to the third-party provider, and was told they are requiring “unique usernames and passwords for enhanced security” I replied that, since the web application is helpfully telling me that a password is already in use, and would also tell me that a username is already in use, I could develop a dictionary attack to build a list of known passwords and usernames, put the two together, and be able to access accounts. This would provide me with social security numbers and health-related information about other users. I raised this issue with our state security officer, who told me they were told not to comment. Am I out of line here? I’m a Unix server admin, not a security pro, so I am certainly not up to date on best practices for Web apps. But this “unique password” idea strikes me as a severe problem. Jim
Empathy v1.0   2024 ©Harmonylists.com