Geek asks and answers

Which error message is better when the user enters the wrong password?

Are there security differences between the two error messages when users enter the wrong password?

The username or password you entered is incorrect.

Incorrect password.

For example, when you enter an invalid password on Gmail.com, it will tell you: "The username or password you entered is incorrect." Are there any considerations for security reasons? I think the error message: "The password you entered is incorrect" is more understandable to users. And, what’s more, it’s very simple to check if a username exists on Gmail.com: just click “Unable to access your account?” And enter a username. If the username does not exist, it will inform you.

+5
source share
4 answers

The idea is not to provide hackers with additional information. If you say the wrong password, you told the hacker that they have the correct username and vice versa. Although what you said is true, on some sites you can determine if you guessed the username in other ways.

+8
source

The simplest and most common phrase to use:

"You entered an invalid username or password"

The rationale for this is to prevent someone from trying to overdo your account by guessing the password. If an attacker receives an error message, the password is incorrect, they can try different passwords until it works correctly.

, , , , , .

Fabio @fcerullo

+4

, . , , , .

GMAIL , gmail , , -, .

, , .

+2

Just add more info. The OWASP recommendations give you recommendations on this issue.

https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Authentication_and_Error_Messages

The application should respond with a generic error message, regardless of whether the user ID or password is incorrect. He should also give no indication of the status of an existing account.

+2
source

More articles:


All Articles