Is there a security reason for not identifying a user ID?

I noticed that on some sites, when you ask for a reminder or login, they tell you if there is a user (I think Meetup does this). Other sites will simply say, "the user / password combination is incorrect" (Google, I believe, does this).

Is there a security reason for not identifying a user ID?

+5

Chris May 21 '10 at 1:14

6 answers

Yes there is.

Do you want to give attackers as little information as possible

, . , , chris@gmail.com, gmail. , , (, db), , chris@gmail.com .

, , : Username.Length + Password.Length long, , .

+9

Alan 21 '10 1:20

: , .

: , , () .

+3

catchmeifyoutry 21 '10 1:15

, , . : , , ; , , - . , ( " " ) .

+2

leonbloy 21 '10 2:05

, . - .

: , . , , . - , .

()

, , . . (, , , , .)

, , , . , , ! , , , .

()

, , . , , , , , . : , - . , , , , -, , . .

- ( , ), "": -, , . , "" , . , . : " , PIN-, " " , , PIN- ".

, . ? . " " - , ( ). , ( ).

+2

EMP 27 '10 6:46

, . , , - , , .

0

muhmuhten 21 '10 1:17

As a rule, do not give the attacker more information that is absolutely necessary. Someone enters an email address that is not included in your system, you do not need to tell them whether this letter exists or not, therefore not.

There are certainly stronger forms of defense, but for “defense in depth” every little thing adds up.

0

Dean harding May 21 '10 at 1:21

All Articles