2

I am doing an audit on a website, and discovered that you could create different accounts with the same username, but different passwords.

an user 'a' with password 'a' will have a different account than user 'a', but with password 'b'.

I have the feeling that this behavior is wrong, but I don't clearly see what is the risk in doing so.

There is no account recovery system on the website for now.
login failure says "wrong username or password", so it doesn't disclose existing users.

Could you explain me what are the risks of providing this behavior?

tux lu
  • 125
  • 1
  • 1
  • 6
  • 1
    Does the site have user pages or username-dependent links/forms? This could fail at a lot of places. From your description it's just not completely clear what features the site offers. – Arminius May 15 '17 at 09:40
  • no, you can't see the existing users, there are no "user pages", and links/forms use an ID, and not the username. it's basically a file sharing service for companies, there are no interactions between the users. – tux lu May 15 '17 at 09:49
  • Can users choose their passwords themselves? – Arminius May 15 '17 at 09:59
  • yes, users can choose their password. The password can even be changed, when logged in. – tux lu May 15 '17 at 10:05
  • 1
    There was a time not so long ago when Amazon had a separate local website for every country with separate accounts. As I lived in different country, I had to register on every local website with the same e-mail address. At some point they allowed you to log in on every other local website with the same credentials. Therefore I now have several separate Amazon accounts that I can access on every local website with the very same e-mail address but different passwords. – Kyle_the_hacker Nov 15 '18 at 17:22
  • It can be argued this is privacy and security friendly. You cannot use the signup method to learn anything about existing users. It is also good for the user if they can use familiar logins. It just means you cannot use the login name to identify the user (in URLs) – eckes Nov 16 '18 at 03:05

3 Answers3

2

This behavior suggests that the passwords are not stored in a correct way.

Presumably the website you audit looks up users in a database, matching both the fields username and password. This means that the password is not hashed, or hashed in a predictable way. If all passwords had a different salt, the lookup function would have to check every password in the database. This can only be done in a reasonable time when using a very fast hash function, which is a bad idea when storing passwords.

So the passwords are either not hashed, hashed without salt, or hashed with a very fast hash function. This is not optimal, since it is recommended to hash passwords using salts and a slow hash function, such as bcrypt.

Sjoerd
  • 28,897
  • 12
  • 76
  • 102
  • that is the root of the problem I didn't mention because I was fully aware that the passwords weren't salted, and thought it was a different problem. But I didn't thought about the fact that salting hashed would prevent creation of accounts with same names. Existing accounts with same name may cause issues when they will salt their hashes, I must warn them about that. – tux lu May 15 '17 at 12:24
  • You can totally have a website with multiple different Hashes but the same user name. There is no correlation between this and the fact that usernames are not unique. The login procedure just needs to retrieve all possible Hashes and use the salts of each in turn to validate the hash. The biggest risk is how to recover a lost password (emails would have to exist and be unique). – eckes Nov 16 '18 at 03:04
0

Once I worked as developer on software that identified users by (username, password) pair, so usernames did not need to be unique. However, it would occasionally happen that two users would pick the same username and password. I think the result was that you would accidentally end up in another users' account.

Note that this is only likely to happen if you don't have any restrictions on passwords. If you check passwords against a dictionary to eliminate the most common passwords, it is unlikely that two users will pick the same password.

Sjoerd
  • 28,897
  • 12
  • 76
  • 102
  • If passwords are stored properly, they should not be the same in the database just because they are the same in plain - that's not to say this is a good system, it sounds completely wrong to me. – Pete May 15 '17 at 11:40
  • Thanks, @Pete, I have added another answer based on your suggestion. – Sjoerd May 15 '17 at 11:47
  • 1
    if you try to create a user with the same name and password than someone else, the website returns an error. The user can then draw any conclusion he wants about this :( ... – tux lu May 15 '17 at 12:16
0

In addition to the risk with how passwords are stored/hashed that is mentioned in Sjoerd's answer, this situation makes it difficult to properly log or audit behavior. If you see that something was done by the user 'a', then was it done by the one with the password 'a' or 'b'? Technically this can be avoided by logging a separate unique identifier such as an account number, but it could also be avoided by just using unique usernames in the first place.