Secret ingredients to quality software


Login Security - Do you know the correct error message for an incorrect user name or password?

Last updated by Rebecca Liu on 19 Feb 2015 01:39 am (about 6 years ago) See History

When a user fails to sign in due to invalid email or password, you might have the well intention of letting them know by telling them exactly which one is invalid.

However this is not secure. It makes it easier for bad guys (e.g., hacker) to get access to your account and do malicious things to the site and with your information.

The more secure message should be 'Invalid email or password'.

Figure: Good example - for security reasons, you don't say if it was an invalid user name or password.

See Login.aspx for a real example.

We open source. This page is on GitHub