How to tell the user his login credentials are incorrect?

  • When a user has entered incorrect details into a login form, is it better to tell them:

    • The username or password you have entered is invalid.

    or

    • The user name you have entered is invalid (for invalid usernames)
    • The password you have entered is invalid (for valid usernames but invalid passwords).

    The first approach "might" be more secure, as the an attacker would not be able to confirm whether the username/email address is valid. At the same time, the user might get frustrated by not being able to remember the email address or username he signed up with.

    The second apporach is clearly more user friendly, but an attacker would be able to work out what a valid username/email is, and then launch an attack on guessing the password.

    Some examples:

    • Amazon: There was an error with your E-Mail/Password combination. Please try again.
    • Hotmail: That Windows Live ID doesn't exist. Enter a different ID or get a new one. and That password is incorrect. Try again.

    Which way should I go about displaying those errors?

    How important is security for your site. The best approach for Paypal could be different from your personal blog comments.

    Yep, this is a security thing. Best UX is to tell them the exact problem, you'll have to decide if the "ease" of attacking is a significant great v how easy you want the site to be to access.

    I personally like the combo. Makes me fell warm and fuzzy. This means people just can't put in an email and see if it exists. This happened on facebook and people got pissed about it.

    @BenBrocka: This has nothing to do with security - it's a logic issue.

    @JohnGB As the hotmail example shows, this is not only a logic issue, there IS more information than just "that pair is wrong," especially in the case where that user name *doesn't exist!*

  • JohnGB

    JohnGB Correct answer

    10 years ago

    You have to go with the first option (stating that the "username or password is invalid"), and this has nothing to do with security.

    Let's say that I usually use JohnGB as my username, but on your service someone else has that username, so I use JohnGB123 instead. Say I've then forgotten my username and I enter JohnGB as my username, but use my correct password.

    Is that a correct password and incorrect username or a correct username and an incorrect password?

    There is no such thing as having a correct username without its matching password, and no correct password without its matching username. Usernames and passwords only represent anything when used in combination.

    yet saying "at least one of them is wrong" gives no more information. If you put down a non existing user name - that's an error you can be told about, whereas the other way around you'll just know one of them is wrong. It's still true that if a mistake was made in both then the user cannot be told so, but in that case the other option doesn't add any info as well.

    @AssafLavie: You could say that the username exists, but you can't logically say that it was the right username. Also, if you're storing passwords in a sane way, then there is also no way of querying a particular password exists. The limitations are still logical and technical.

    I never suggested you could say that a password exists. You have 4 options: username/pwd can be correct/incorrect. Now if you only ever tell people "the combination is wrong" they _never_ know which part they got wrong. That's the lowest amount of information you can share (hence people worrying about security). The other option shares more information with the user. Yes, in some cases you still don't really know what's wrong, but in other you do (e.g. non existing user name). Please see my comment to my own answer. You have to consider the "expected" UX.

    @Assaf the thing is that username/password aren't two things. They are just two parts of one login. You can only judge if the login is correct as a pair. You can't assume one is correct when the other isn't.

    Usually when people fail to log in they're entering the wrong password to the right user account; it's true that you can't know if it's the right user name, but it's a very different thing to say "holy crap, that user name doesn't even exist what are you doing" than to say "You're using the wrong password." If the username does not exist and you just say "the combo is wrong" you're leading them down the same path of letting them try different passwords for an account they can never access.

    @BenBrocka: I didn't argue against saying that a username doesn't exist if that is the case. But not existing and being wrong aren't the same thing. I'll update the answer to clarify this.

    You play on words. Let's say : “The password you entered is invalid for user _JohnGB_.” And it's fine.

    @NicolasBarbulesco If your authentication fails, it is *always* invalid for whatever username you had entered. This doesn't tell you anything more, but may cause additional confusion.

    @Nicolas Barbulesco doesn't that imply that a user `JohnGB` exists? If the username doesn't exist, the user might still try multiple passwords in frustration.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM