“Username or password incorrect” is bullshit
There’s a security best practice where sign ins aren’t supposed to say “password is incorrect”…
But, as this article points out, this is nonsense — because it is so trivial for anyone to find out whether a username is incorrect anyway.
I lead teams and organisations to make human-centred decisions. I am a lead content designer and information architect at the Scottish Government.
Email — contact@duncanstephen.net
Comments
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
This best practise is based on the principle that a system should not leak any potentially sensitive information.
Sign in forms that follow this best practice are sensible. The issue here is with the a registration process that does leak information. This is a good example of engineers following best practice without understanding the underlying principle that leads to it.
This is not just about hacking either. Leaking the existence of a registered email address is leaking personal information about the individual who owns that email address. The article you link to gives GitHub as an example, which I doubt many people would care about others knowing. But what if it was Tinder? Or Gamblers Anonymous?
Good points Jamie!