This is a demo script which compares the effects of error messages on the security of a login process from attacks.
> node index.js
Random user generated: { username: 'engineer', password: 'spring' }
Time to crack (smart): 16ms
Time to crack (naive): 0ms
TRIES (smart): 715679
TRIES (naive): 1083A collection of 1575 most commonly used passwords based on danielmiessler/SecLists.
A server which gives out specific error messages based on the failing stage of the login process. If the username is invalid, it'd say Invalid username.
A server which gives out vague error messages on failure of the login process. If the password is invalid and not the username, it'd still say Invalid username/password.
A hostile client which uses the dictionary to generate a pair of username and password and uses them to break into the system. It also analyzes the error messages on the following rules:
- An error message saying the password was invalid, indicates the username was a valid one.
- An error message saying the username was invalid, indicates no combination of password will result in a successful login.
- An inconclusive error message is ignored and the next combination is tried.
- It is assumed that the dictionay defines the sample space for a valid username and password.
MIT