How to implement "Incorrect username/password" hint for a webservice using Flask HTTP Auth?

Question

I have a client app that interacts with a web service to retrieve account information. There's a requirement that the user is notified if they mistyped the username/password. I'm modifying the web service to return something to my client to provide a hint to the user that there's an error in input.

How do I correctly implement the "username/password" not found for a web service using Python?

• Do I tell the user that the username exists, but the password is incorrect?
• Do I tell the user that there is no such username, but the password matched something?
• Do I show a generic username/password combination is not found?
• Do I use different status codes for different situations or provide a JSON payload with the error?

here's my code so far:

from flask.ext.httpauth import HTTPBasicAuth

accounts = [
    ["user0",   "password0"],
    ["user1",   "password1"],

]

@app.route('/accountlist')
@auth.login_required
def accountlist()
    username  = auth.username();
    if ... : #check if accounts does not have the given username
        #notify the sender that there is no such username
        return Response('Not Authorized', 401, {'WWW-Authenticate': 'Basic'})
    else:
        #proceed to check password and retrieve/return account information

Answer 1

Do I show a generic username/password combination is not found?

Yes. Why do you think this is "generic"? Because it is the standard. This is the correct way because than a hacker can't go phishing for usernames.

Answer 2

Do I tell the user that the username exists, but the password is incorrect?

No, letting the user know that the username is correct is a user enumeration vulnerability. You are letting an attacker know which usernames are valid allowing them to narrow their target range. This would be useful if they later decided to try a brute force attack as they already know the usernames are correct and now they only need a working password.

Do I tell the user that there is no such username, but the password matched something?

Definitely not. This would mean that the attacker now had a valid password and could use any other username enumeration vulnerability on your site in order to try and find a valid username. Another common username enumeration location is the forgotten password form - many sites report back that there is no such username allowing an attacker to refine their list. Alternatively, they could use this password and brute force a username from it which may be a much easier job as usernames shouldn't benefit from being complex.

As an aside to this, you should be storing your passwords salted and hashed using a secure, slow algorithm such as bcrypt. This should mean it is not possible for you to practically check to see if any password matches the one entered.

Do I show a generic username/password combination is not found?

Yes!

Do I use different status codes for different situations or provide a JSON payload with the error?

Your JSON could return true or false to let the calling JavaScript know whether authentication was successful. If you ever develop any brute force protection, this should be accomplished by introducing a delay in the response rather than hard locking accounts. Hard locking accounts leads to a DoS attack as an attacker can lock out a valid account by repeatedly using the wrong password on purpose. For this reason, only a true/false response is really needed to let the user know if they were successful. Even if the account was hard locked, I would return false but include in the message that the user should contact technical support if they believe they should have access with the password provided.