Human-centred decisions

“Username or password incorrect” is bullshit

“Username or password incorrect” is bullshit

There’s a security best practice where sign ins aren’t supposed to say “password is incorrect”…

But, as this article points out, this is nonsense — because it is so trivial for anyone to find out whether a username is incorrect anyway.

Related posts


Comments

2 responses to ““Username or password incorrect” is bullshit”

  1. Jamie Cockburn avatar
    Jamie Cockburn

    This best practise is based on the principle that a system should not leak any potentially sensitive information.

    Sign in forms that follow this best practice are sensible. The issue here is with the a registration process that does leak information. This is a good example of engineers following best practice without understanding the underlying principle that leads to it.

    This is not just about hacking either. Leaking the existence of a registered email address is leaking personal information about the individual who owns that email address. The article you link to gives GitHub as an example, which I doubt many people would care about others knowing. But what if it was Tinder? Or Gamblers Anonymous?

  2. Good points Jamie!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.