When a user has entered incorrect details into a login form, is it better to tell them:
- The username or password you have entered is invalid.
or
- The user name you have entered is invalid (for invalid usernames)
- The password you have entered is invalid (for valid usernames but invalid passwords).
The first approach "might" be more secure, as the an attacker would not be able to confirm whether the username/email address is valid. At the same time, the user might get frustrated by not being able to remember the email address or username he signed up with.
The second apporach is clearly more user friendly, but an attacker would be able to work out what a valid username/email is, and then launch an attack on guessing the password.
Some examples:
- Amazon:
There was an error with your E-Mail/Password combination. Please try again. - Hotmail:
That Windows Live ID doesn't exist. Enter a different ID or get a new one.andThat password is incorrect. Try again.
Which way should I go about displaying those errors?
Answer
You have to go with the first option (stating that the "username or password is invalid"), and this has nothing to do with security.
Let's say that I usually use JohnGB as my username, but on your service someone else has that username, so I use JohnGB123 instead. Say I've then forgotten my username and I enter JohnGB as my username, but use my correct password.
Is that a correct password and incorrect username or a correct username and an incorrect password?
There is no such thing as having a correct username without its matching password, and no correct password without its matching username. Usernames and passwords only represent anything when used in combination.
No comments:
Post a Comment