Adding "Email or Username" in login page, is it safe?

The email and username are normally both considered to be public pieces of information so it shouldn't make much of a difference. Not having those pieces of information publicly available might slow down a hacker for the length of a Google search.

If you're going to make it public, maybe just add an extra digit onto the minimum password length to compensate.


By having the username be shown publicly you are giving attackers another piece of the puzzle before they are launching the attack.

For example:

Assuming you can brute force Facebook, if Facebook showed some part of their users login information an attacker wanting to preform a brute force will just need to navigate to their victims page and get the login info and start the attack.
But if they had to find the login information the attack will be so much harder. They will have to preform some sort of Social Engineering/OSint in order to find the login information which can sometimes result in nothing (Notice that Facebook does sometimes supply the accounts username when visiting the profile but they do prevent brute force attacks).

What should be done?

  • If there is nothing you can do about it and you need to display the username which is also the account login then have the maximum security you can in order to prevent any attack on the user (Including in the forget password section).

  • You should allow the user to hide the username and have a display name instead (For example my display name is Bubble Hacker but my username is different)


First of all, maybe the user doesn't want it to be publicly known that he is using the site. So it might not be a good idea to show this information without approval.

To answer you question, in a normal situation, an attack should know the e-mail before trying to conduct a brute-force attack. If you give away all the e-mail addresses it will simplify the job of the attacker.

However, some attackers are not trying to hack your website, but rather have obtained credentials via another way (hacking into e-mail). Then they will both have the e-mail address and the password, so it won't really matter.

But anyway it allows hackers to create an index of which services/applications a user is using and that is a violation of privacy. So unless you have user approval and a good reason, I wouldn't post all the e-mail addresses or user names.

I think this is kind of a straight-forward questions.

Tags:

Authentication

Attacks

Recent Posts