Is not specifying whether a user has entered an incorrect user name or an incorrect password done for security reasons or is it jut bad UX? If it is done for security reasons, how much and in what way does it contribute to security?
If the motivation is security than the effectiveness of the extra security is questionable. Even if a system uses this type of error message to stop people from testing for existing accounts the user signup or password reset pages will almost always tell you if an particular username is being used.
Looking at security of a website, it has to be just the way it it. It should not prompt whether or not username or password is incorrect..and if it does, then it would be vulnerable.
It prevents hacker to know about whether he has got right username or not? If he knows that then he can tryout various passwords using the username he guessed earlier.
If I enter username_x and password_x as my parameters, and you say "the username is right, but the password is wrong", than as an attacker, I've just learned that a user account exists named username_x.
If I'm being malicious, this could give me better access to focus on password cracking, since now I have a known-good account to work against. I might design a system that just goes through a dictionary list of usernames until I get a decent list of users, then loop through them with password attempts.
Let's say I'm not an attacker, but an overly curious friend, boy/girl-friend, or employer of a particular user. If I try 'bmelton' as a username on, say, Monster.com, and my employer gets as message saying "the username is right, but the password is wrong", then my employer now knows that I'm a user on Monster.com. That might not be the end of the world, and is easy to explain away, but lets say the website is "hot_chicks_that_aren't_your_wife.com", and your girlfriend finds you have an account on there.
This is potentially compounded if you're using email addresses as usernames, since I could easily point to 'some other' Barry Melton[1] and say that 'bmelton' must be his account, but that's harder to pull off if it is my email address.
In short, it's a security issue that also happens to be bad UX. Perhaps if your website has no negative connotation (e.g., freekittensforcharity.com), then it doesn't matter, but you're still slightly more vulnerable to password attacks as I described in the first scenario.
But as slg mentioned below, it's trivial to check if a username/email is registered through the forgot password page. So some snooping significant other can still find out if they really want to.
[+] [-] slg|13 years ago|reply
[+] [-] aadarshbohara|13 years ago|reply
[+] [-] bmelton|13 years ago|reply
If I'm being malicious, this could give me better access to focus on password cracking, since now I have a known-good account to work against. I might design a system that just goes through a dictionary list of usernames until I get a decent list of users, then loop through them with password attempts.
Let's say I'm not an attacker, but an overly curious friend, boy/girl-friend, or employer of a particular user. If I try 'bmelton' as a username on, say, Monster.com, and my employer gets as message saying "the username is right, but the password is wrong", then my employer now knows that I'm a user on Monster.com. That might not be the end of the world, and is easy to explain away, but lets say the website is "hot_chicks_that_aren't_your_wife.com", and your girlfriend finds you have an account on there.
This is potentially compounded if you're using email addresses as usernames, since I could easily point to 'some other' Barry Melton[1] and say that 'bmelton' must be his account, but that's harder to pull off if it is my email address.
In short, it's a security issue that also happens to be bad UX. Perhaps if your website has no negative connotation (e.g., freekittensforcharity.com), then it doesn't matter, but you're still slightly more vulnerable to password attacks as I described in the first scenario.
[1] - http://www.counterculture.net/thefish/
[+] [-] webwielder|13 years ago|reply