What are the potential downfalls of allowing multiple people have the same username in a system, but have different passwords which combined represent a unique user?
I have a relatively small system which at most will have about 100 users. The system is not financial and no harm can be done by unauthorized access (although it is something we want to prevent!).
The system is basically partitioned by client and within a client are usernames. The legacy system used to allow the same username within a client, and would distinguish what client the user was by looking at the first 3 characters of the password (which wasn't encrypted).
I've built a new system whereby each user regardless of client needs a unique username, however they now want to be able to have the same username multiple times.
The only way I can think of doing this is making the combination of username and password the key in finding the user id (the primary key in the database is an int field so there's no issues there).
What are the downfalls of this approach? The only one I can think of is that it is technically possible for two people with the same username to guess the other persons password and login to the wrong account.
I know this is not the best practice, but I can't really see any other big issues here for a small system. Any more input?
Best How To :
The downfalls of this approach are:
- A user could accidentally log into another user's account if they have the same username and type the wrong password if another user with that username happens to have that password. On your small system this is a small risk. Note though that this won't scale should your system need to in future.
- If you are correctly storing passwords - salted and hashed using a slow algorithm, and say this algorithm takes one second to hash, this login time will multiply by the number of users that have that username. So if five users have the username
foo, one unlucky user will have to wait 5 seconds to log into their account each time as their entered password is hashed against each salt in turn.
- The login delay can be used by an attacker to enumerate users using a side-channel timing attack. So if an attacker tries to log in as
foo and it takes 5 seconds, they know that they have 5 times the chance of guessing a password on that account.
The login delay could be used by another user of that username to infer that another account exists and they could attempt to brute force it under the guise of trying to login to their own account.
An attacker has multiple chances at guessing a password for a username rather than just one.
Account lockout policies cannot be implemented to rate limit multiple login attempts against the same account without locking out other users with the same username.
The security of two factor authentication methods are reduced as One Time Password keys would have two chances of being guessed by an attacker. Additionally, systems such as SMS or phone call authentication cannot be used as the second factor as the system does not know who to call or text (and messaging multiple users would cause confusion for those users).
If log files show a brute force attack against a username, it is difficult to know which user was the target of the attack.