clearer error message for wrong credentials?

Come here to discuss FileZilla and FTP in general

Moderator: Project members

Locked
Message
Author
fzluca
504 Command not implemented
Posts: 7
Joined: 2020-09-25 13:35
First name: Flavio
Last name: Zarur

clearer error message for wrong credentials?

#1 Post by fzluca » 2020-09-25 13:44

Hello, friends!

By any chance, is it possibe to translate the error message when user provides wrong credentials?

Error: 530 User cannot log in.

This error is not so clear. I wish we could make it clearer, something like "Wrong user or password". It would with users possibly understanding the issue better and sooner.

Thanks!

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: clearer error message for wrong credentials?

#2 Post by botg » 2020-09-25 16:43

The message comes straight from the server and could have any number of reasons. It would be misleading to display a different error instead.

fzluca
504 Command not implemented
Posts: 7
Joined: 2020-09-25 13:35
First name: Flavio
Last name: Zarur

Re: clearer error message for wrong credentials?

#3 Post by fzluca » 2020-09-25 18:21

Thanks. Other situations, I imagined.

But it would be really nice if wrong user or pwd could have a clearer message. Can you consider it as a feature request, pls? or let us customize the error? Ideally, in case of wrong user or pwd show a clearer error...

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: clearer error message for wrong credentials?

#4 Post by boco » 2020-09-25 21:02

That's the question, the server doesn't tell exactly what's wrong. FileZilla thus cannot know if it is a wrong username, password, account suspended, or even the heat death of the universe. It would be misleading to display any specific message as we don't know.

Please note that this behavior is by design, the server will not tell if the username and/or password is/are wrong, in order to prevent password guessing.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

fzluca
504 Command not implemented
Posts: 7
Joined: 2020-09-25 13:35
First name: Flavio
Last name: Zarur

Re: clearer error message for wrong credentials?

#5 Post by fzluca » 2020-09-25 21:44

Hi,

I see. Thanks a lot for such a fast and nice reply. Still, Id consider something like "Incorrect login. Possible incorrect user/pwd or other errors".

But I do understand how complex it is.

Thanks!!

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: clearer error message for wrong credentials?

#6 Post by boco » 2020-09-25 23:51

Two issues:

1. It's the server that sends exactly that text. While FileZilla only evaluates the response code (530) and ignores the text, modifying it is something no program should ever do (it's regarded as tampering with).

2. As already said, the error could be anything. Imagine the server lost its user database, same error. Imagine you are connecting to the wrong server, same error. And so on.


@botg: Modifying the server message is out of the question, but would it be possible to add a short status line after the login error, essentially saying "Check login credentials, contact server administrator if error persists!"?
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

fzluca
504 Command not implemented
Posts: 7
Joined: 2020-09-25 13:35
First name: Flavio
Last name: Zarur

Re: clearer error message for wrong credentials?

#7 Post by fzluca » 2020-09-26 12:25

Hi, Boco

I see. Ok, your idea is great. Let's see, if that can be done, would already help.

That's all I want, better guidance to users when it's user or pwd incorrect. Other servers do have that. For example, just put wrong pwd in some other FTP server I have, I got 530 Login authentication failed

Thanks.

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: clearer error message for wrong credentials?

#8 Post by boco » 2020-09-27 09:29

It's the statement the developer always posts when someone asks about 530 Login incorrect. Putting it into the program will hopefully prevent many further posts about the problem. It's the sad truth that we cannot provide much help regarding pure server errors like this one. If the server says "Nay", FileZilla cannot override that.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

fzluca
504 Command not implemented
Posts: 7
Joined: 2020-09-25 13:35
First name: Flavio
Last name: Zarur

Re: clearer error message for wrong credentials?

#9 Post by fzluca » 2021-02-28 17:21

Friend,

How are you? Any news to this? Did @botg reply?

Why other FTP servers give out a clear error? I still didn't understand 100%. You say the server says Nah, but isn't it filezilla checking pwd...?

Thanks!

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: clearer error message for wrong credentials?

#10 Post by boco » 2021-03-02 11:36

Did @botg reply?
Nope. :?
Why other FTP servers give out a clear error?
I'm not aware of any FTP servers that give more information.
You say the server says Nah, but isn't it filezilla checking pwd...?
Server says "Nah", but it doesn't say exactly what's wrong. "Login incorrect" does not always mean wrong password!

The behavior is by design. We don't want to give attackers any clues and hints. Thus, servers will not tell you if an account even exists.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

fzluca
504 Command not implemented
Posts: 7
Joined: 2020-09-25 13:35
First name: Flavio
Last name: Zarur

Re: clearer error message for wrong credentials?

#11 Post by fzluca » 2021-03-02 19:27

Dear Boco,

Thanks again for your reply!

Now I understand, when you talk about attackers. I still think a mid-term would be nice :) We don't wanna mislead users either...

When you say " servers will not tell you if an account even exists.", AFAIK, when one uses filezilla server, it's the one that validates the pwd, no? Perhaps not always, if user integrates it with some other authentication server, correct?

I did a test with 3 different FTP servers, putting wrong pwd. See results below.

I believe you had agreed with me, just a bit clearer error. Something like Unable to connect. Credentials possibly invalid.

Something that would give a clue,at least. User cannot log in is so generic...

See, 3 other FTP servers, wrong pwd

530 Identification failed, please try again

530 Login incorrect.

530 Login authentication failed

xxx

Maybe what is missing is the word login? :)

user cannot login, then critical error. it seems like something else is wrong, maybe thats the goal, to mislead attackers, then it worked :)

Thanks

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: clearer error message for wrong credentials?

#12 Post by boco » 2021-03-03 03:23

Imagine you try to log in with a made-up username. Even then, the FTP server first asks for the password, then tells "530 Login or password incorrect!" (text from legacy FileZilla Server). The attacker (guessing or probing login data) will not gain any knowledge about if that account actually exists. The server will not tell, it's a cover-up.
AFAIK, when one uses filezilla server, it's the one that validates the pwd, no?
Well, yes, not the actual password, but it validates the computed SHA512 hash against the stored one. FileZilla Server does neither store nor know your password. But even if there's nothing to validate, it will still ask for a password, to not reveal the non-existence of the account.


Again, FileZilla Server sends:

Code: Select all

530 Login or password incorrect!
How could that be misleading? Actually, the text is even irrelevant, these messages are not targeted at the user. It's meant for the client and for us.

The final "Critical error" is from FileZilla Client and means that the error will not resolve without your intervention. FileZilla will evaluate the numeric code, any starting with 5xx is "permanent failure condition". It doesn't get any more specific in terms of user credentials.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

fzluca
504 Command not implemented
Posts: 7
Joined: 2020-09-25 13:35
First name: Flavio
Last name: Zarur

Re: clearer error message for wrong credentials?

#13 Post by fzluca » 2021-03-08 12:32

Friend,

Sorry, my bad. I had understood my host used Filezilla FTP server, that's what I meant since the beginning, hence I put this message in this section of the forum, but it seems they don't use it.

Sorry for the confusion and for taking your time. Feel free to delete this post.

Thanks.

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: clearer error message for wrong credentials?

#14 Post by boco » 2021-03-08 17:41

We don't delete posts, unless it's spam or could mislead others. As there's some information in this topic, I'll lock and then will move it to General Discussion.

[Locked] on request.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Locked