Should I provide separate messages for the wrong password and the wrong username? Or keep the same for safety?

Question

Should I provide separate messages for the wrong password and the wrong username? Or keep the same for safety?

I think that individual messages can make the user less disappointing, as someone who has forgotten their details has less opportunity to narrow it down. However, it is then possible for someone to continue to clean the site to determine the list of usernames that they use.

Should I take a small security issue to create a better user interface?

+4

authentication login user-experience

Jim Aug 11 '11 at 11:59

source share

2 answers

No, it's not worth it. To be safe, you want to provide as little information as possible.

+1

love_me_some_linux Aug 11 '11 at 12:05

source share

James hill · Accepted Answer · 2011-08-11T12:01:34+0000

When it comes to security, I would always be mistaken on the side of caution . Use a generic message.

Should I provide separate messages for the wrong password and the wrong username? Or keep the same for safety?

More articles: