XNSIO
  About   Slides   Home  

 
Managed Chaos
Naresh Jain's Random Thoughts on Software Development and Adventure Sports
     
`
 
RSS Feed
Recent Thoughts
Tags
Recent Comments

Usability and Security: Striking a Hard Balance

Recently I was designing a web application which has a standard user registration module. You need a unique email address to successfully register a new account. Once the user fills in an unique email address along with other basic info, the use can go ahead and register the account. To prevent bots from trying to register bogus users, we had to introduce a captcha image, so that real human users can enter the captcha code for registration. This is the first instance where because of security reasons we have to introduce an extra step in the registration process and hence compromise on the usability. 

Since most website have captcha today, I can live with this compromise. But the story does not end here. To make the registration process smooth, I had provided AJAX calls on the email address field on the registration page, so that if the email address is already registered, then the user can be notified much before entering all the other info and hitting the submit button. Little did I know that this could lead to a form of Dictionary attack, where a bot can brute force all the registered email addresses on our website. Since this was an AJAX call, a bot can exploit this without having to enter any captcha codes. To avoid these security loop holes, I had to reorder fields on the registration page such that, email address was the first field. Immediately after email address, I had to put captcha image. Once the user enters the captcha code, we fire an AJAX call to check if the captcha code is correct. If yes, then we check if the email address is already registered or not. If it is, then we notify the user about the error and load a new captcha image.

Another example of how there is always a tension between making an application usable and making sure its secure. 


    Licensed under
Creative Commons License