abciorew.blogg.se

#Incorrect login information password#
#Incorrect login information windows#

There's no sense in letting a user type furiously away to login to a non-existing account unless they're a bot/malicious agent.

The username doesn't exist: There is no non-security reason not to let your user know this! In this case you actually know the username is wrong, not the password or the username/password combo. But there are multiple situations where telling me the username exists can help me. A valid point is raised in saying you can't know if they have the "right" username if they don't have the right password, for example John states he might be trying to access the wrong John. The answer depends strongly on the system for a few reasons. It gives best practices for business applications, but is also still useful to keep in mind. It may also be helpful to learn more about forgot password security from this OWASP cheat sheet: To learn more about enumeration and the real danger it causes: I hope this helps Erics, I'm really curious what solution you end up choosing. A user will lose all confidence in you if their account gets hacked because ux trumped security. Just to summarize: a user might be frustrated that they can't remember which email they used. So your first option is Definitely more secure.įrom a usability standpoint, you can definitely provide multiple methods of trying to get back into the account, ( login with twitter, gmail, Facebook.there are API's for that).Ĭheck out this Smashing Magazine article that reviews the many approaches to login forms: The most secure practice is to tell the user something along the lines of: "If a valid e-mail address was entered, instructions to reset you password have been sent" From a usability standpoint, you've just helped someone figure out which of their countless e-mail addresses they used on your account, and can get logged in sooner. From a security standpoint, attackers can begin to collect the valid usernames in your application. It's ultimately up to you whether or not you want to do this. Going through the Can't access your account? link, gmail will eventually tell you that this account does not exist: Let's ask What Would Google Do and take Google's gmail as an example: The Best Practice from a security standpoint is to not identify which entry was invalid, and have a generic answer. There's an important question of secure practices in your question. I wouldn't sacrifice either one for the other. I'm going to give some advice from a Security standpoint + UX. Which way should I go about displaying those errors?

Hotmail: That Windows Live ID doesn't exist.

Amazon: There was an error with your E-Mail/Password combination.

The second approach is clearly more user friendly, but an attacker would be able to work out what a valid username/email is, and then launch an attack on guessing the password. At the same time, the user might get frustrated by not being able to remember the email address or username they signed up with. The first approach "might" be more secure, as the an attacker would not be able to confirm whether the username/email address is valid.

The password you have entered is invalid (for valid usernames but invalid passwords).

The username you have entered is invalid (for invalid usernames).

The username or password you have entered is invalid.

When a user has entered incorrect details into a login form, is it better to tell them:

#Incorrect login information password#

#Incorrect login information windows#