none
How easy is it for a client to get a user's UserID? RRS feed

  • Question

  • Hi,

    Would using a user's UserID as their password be a security vulnerability? Obviously no one is going to guess the GUID but does .NET membership / IIS give out this information in anyway?

    Thanks,

    Joe
    Friday, December 18, 2009 9:45 AM

Answers

  • I do not think it is a good idea to have same password as a user ID. I would consider it as vulnerability, since user id is a clear text when users type it in. In some cases it is possible to retrieve user IDs from the database. For example if the application has SQL injection vulnerability, users would be able to retrieve pretty much anything they want. So, you would need to look into the security aspects for the application from multiples aspects
    Val Mazur (MVP) http://www.xporttools.net
    Friday, December 18, 2009 11:13 AM
    Moderator
  • Yes, it's a security vulnerability. User IDs are highly discoverable, especially within an organization. In addition, you can set (if it isn't set by default) the password policy so that user IDs are not allowed as passwords.

    Password Best practices




    Paul ~~~~ Microsoft MVP (Visual Basic)
    Friday, December 18, 2009 2:33 PM

All replies

  • I do not think it is a good idea to have same password as a user ID. I would consider it as vulnerability, since user id is a clear text when users type it in. In some cases it is possible to retrieve user IDs from the database. For example if the application has SQL injection vulnerability, users would be able to retrieve pretty much anything they want. So, you would need to look into the security aspects for the application from multiples aspects
    Val Mazur (MVP) http://www.xporttools.net
    Friday, December 18, 2009 11:13 AM
    Moderator
  • Thanks for the reply. I agree. This is someone elses application that I'm going over. I've pointed this out to them but I was wondering if there was a specific feature of IIS that will do something like dump all UserIDs to the response stream so that I can demo it?

    Thanks,

    Joe
    Friday, December 18, 2009 12:04 PM
  • Yes, it's a security vulnerability. User IDs are highly discoverable, especially within an organization. In addition, you can set (if it isn't set by default) the password policy so that user IDs are not allowed as passwords.

    Password Best practices




    Paul ~~~~ Microsoft MVP (Visual Basic)
    Friday, December 18, 2009 2:33 PM