This is important to me because it means
I can write programs that say "unknown user" vs "wrong password";
on a campus with over 35,000 users, the more precise
the feedback on errors I can provide to users, the better.
You don't want to get too precise. Unix traditionally makes no distinction
between "unknown user" and "wrong password," and even goes so far as to
insert a fake delay to simulate the password decryption when you enter a bad
user name. This is so crackers don't get any clues as to whether they've
entered a valid user name or not. I wouldn't automatically assume that the
null error message is a bug.
Whether or not UNIX does it is really irrelevant.
There are two schools of thought on this:
1) - giving out any information on valid usernames is a potential
partial security breach.
2) - The "login" user interface is the first one that any new user needs
to deal with; if it is unfriendly and confusing, it starts the user
off on the wrong foot.
On any system where mailbox names are the same as login names (i.e.,
almost all systems I'm familiar with unless the site goes to great
lengths to maintain a central directory service and to prevent login
names from showing up in mail & news), option 1 is useless, as an
attacker can merely scan mailing lists and newsgroups looking for
suitable targets.
This is one of the things Jerry Saltzer mentioned on several occasions
when he (and I) were at Athena; the security of the system had better
depend soley on good design, with the only "secrets" in use being ones
which can be changed easily if compromised. (as an aside, this is the
biggest problem with the Clinton administration's big-brother "clipper
chip" encryption proposal; the security of the system depends on the
algorithm, which is fixed, embedded in hardware, and classified
SECRET, remaining secret; it's only a matter of time before
reverse-engineering technology develops to the point where they can
peel all the coatings off the chip & reverse-engineer the algorithm.).
Certainly Transarc could provide a run-time configurable option for
those sites who want to go to great lengths to keep login names
secret, but I think the default should be to distinguish "login
incorrect" from "password incorrect".
- Bill
