Example: When I try to sign in a service with a Username / Password combination, the error message always returns as "Username or password is invalid." But the actual case is that I input a wrong username which doesn't even exist on this site. Why doesn't the message simply tell me the username doesn't exist?
I tried with several services. Only Facebook tells me my account doesn't exist. Others (Google, Twitter, SlideShare, Yahoo!) just don't rule out the possibility that password is wrong.
I am wondering why this is a common practice. Is it some tradition dated back from old-time limitation which has great potential to improve, or does it behave like this for some legal reason?
No comments:
Post a Comment