How to prevent username and password matches when changing a username?

The only sensible way to get what you want is to ask for the password when a user changes their username. This way the server always has the information needed to conduct an accurate comparison between the username and password during a change, and prevent matches.

As sensitive operations - such as changing passwords, or in your case usernames - should require a password anyways (to limit the damage of XSS), this shouldn't be a problem.

Your only other alternative is to try every possible case combination, hash it, and compare that to the stored hash when a user changes their username.


Going against the grain a little - don't care whether the username is changed to a "substantially similar" string as the password. Warn users about the danger of selecting the same password and check for the identical match.

No matter how many rules you put in place, if the user is determined they'll find a way around them. If you must, prompt for the password upon username change so you can force them to the same casing, or just let it through and check the next time they log in and force a user/pass change then.

The only time any of this matters is if your users are subjected to a targeted attack. If a random script kiddie (or some other opportunist) gets ahold of the user list, they have way more sophisticated tools to break those passwords than trying to match the username. So does the targeted attacker, for that matter, but they may start with simple things they can type into the keyboard themselves. And if it's an intelligent person trying to break the password "PwdRsch1", are you really going to be safe just checking case differences? What about "pwdr5ch1"? "PwdRsch2"? "1hcsRdwP"? You can write rules for any of these scenarios you can think of, but either there'll be one you forgot or you'll make it so difficult to select a username/password combo that they'll just wind up using "P4ssw0rd!" and be done with it.

Education is the only way to get your users to use genuinely secure passwords, and there will always be those that don't comply.


Let's say the username has 10 letters in it. That's 1024 different combinations of upper and lower case. Check them all.

Don't store the lower case password hash. That 1024 may seem inconvenient to you, but it's the difference between a day and three years for a attacker.

Tags:

Authentication

Passwords

Hash

Password Policy

Appsec

Related

Recreating uploads/linked images with imagecreatefrom* php Can address details be "googled" from the whois information, without knowing the domain name? Anonymous surveys that aren't so anonymous Best practices for automatic login URL's? What leaked mass surveillance capabilities have not been explained by vulnerabilities we have learned about since 2014? Will quantum computers render AES obsolete? Use multiple computers for faster brute force The history of thumbnails (or just a previous thumbnail) is embedded in an image file? Why is weakness of SHA-1 considered a threat to TLS security Is it possible to detect security breaches as a user before they're announced? How does an attack on a digital signature work? How does a company like CloudFlare block bot crawling and email harvesters?

Recent Posts