Sunday, September 4, 2022

[FIXED] Which error message is better when users entered a wrong password?

      , ,      No comments   

Issue

Is there any differences between the following two error messages from security point of view when users entered a wrong password?

Wrong username or password.

Wrong password.

For example, when you enter a wrong password on the Gmail.com, it will tell you "The username or password you entered is incorrect".

Is there any considerations for security reasons? I think the error message: "The password you entered is incorrect" is more clear to users, And, What's more, it's very easy to check whether a username is exists on the Gmail.com: just click "Can't access your account?" and enter the username. If the username doesn't exists, it will tell you.


Solution

The idea is to not give hackers extra information. If you say wrong password, you've told a hacker that they have a correct username, and vice-versa. Although what you've said is true, on some sites it is possible to determine if you've guessed a username via other means.



Answered By - Mike C.
Answer Checked By - Robin (PHPFixing Admin)

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...