Authentication With Login and Password

Common implementation #1

public async login(username, password): Promise {
  const user = await this.userRepository.findUserByUsername(username)

  if (!user) {
    throw new HttpError.NotFound('username not found') // #1
  }

  if (user.password !== this.cryptoProvider.hash(password)) { // #2
    throw new HttpError.Unauthorized('user password is invalid') // #3
  }

  return user
}

Issues with implementation #1

• Potential user enumeration #1 and #3. The different errors returned allow an attacker to use different emails and observe the server response, checking which emails have accounts registered in our service.
• #2. Comparing hashes as strings may allow a hostile actor to perform a timing attack. The attacker can try to obtain information about a password (e.g. its length) by observing the response time of a request. Most string comparison implementations are created to be highly performant, preventing further checking as soon as any difference in strings is detected. The details are highly dependent on the underlying string comparison implementation, but the early return mechanism exposes a threat in the form of a timing attack. To prevent this it's crucial to use secure password comparison functions - ones that compare passwords as a whole and don't rely on short circuits eg. binary comparison using the XOR operator.

Common implementation #2

public async login(username, password): Promise {
  const user = await this.userRepository.findUserByUsername(username)

  if (!user) {
    throw new HttpError.Unauthorized('username or password is invalid') // #1
  }

  if (user.password !== this.cryptoProvider.hash(password)) { // #2
    throw new HttpError.Unauthorized('user or password is invalid') // #3
  }

  return user
}

Issues with implementation #2

• Potential user enumeration #1 and #3. A slightly better implementation than before due to the use of the same error to indicate that the authorization is invalid. Still, an attacker can try to perform the timing attack to check if a given email exists due to short-circuit logic - no password comparison if the user doesn't exist.
• #2 same as in the previous example. Insecure password comparison.

Correct implementation

public async login(username, password): Promise {
  const user = await this.userRepository.findUserByUsername(username)
  const samePassword = await this.cryptoProvider
    .comparePassword(username.password, password) // #1

  if (user && samePassword) { // #2
    return user
  }

  throw new HttpError.Unauthorized('user password is invalid') // #3
}

Rationale

• Same function flow for every case. Each call fetches the user from the DB and compares the password (no early returns #2). This way we eliminate the potential for the timing attacks.
• Uniform response in case of an error #3. A single error indicating failure without disclosing the details.
• The implementation is not presented here, but #1 indicates the use of secure password comparison function.

Examples of secure password comparison functions

• Native Node implementation: https://nodejs.org/docs/latest-v6.x/api/crypto.html#crypto_crypto_timingsafeequal_a_b
• From the bcrypt library: https://github.com/kelektiv/node.bcrypt.js#to-check-a-password

References

• https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account

• https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/04-Test_for_Process_Timing

• https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

Photo by Aubrey Odom on Unsplash