Menu
In many applications when you make a mistake in either your user name or password you get a non-specific error indicating that either the user name entered does not exist or the password is incorrect for that user name.
I (naively) would expect the application to specify which one of the two errors happened. Is there any reason for not differentiating between them? I guess it would make it more difficult for an attacker to guess a correct user name/password combination, but is there any literature, research or similar that backs up this assumption?
269
Before that happens, you may fix the problem manually. According to Windows enthusiasts, the “The username or password is incorrect” at the login screen occurs due to the enabled “Use my sign in info to automatically finish setting up my device after an update or restart” option.
On the login screen, tap Forgot password above Log in. Tap Username or Phone. Enter your email address, username or phone number, then tap Next. A link will be sent to either your email or phone to help reset your password.
If you try to connect to your email account using your iPhone and you receive an Incorrect Password error message, you must change the password saved in the iPhone email app to match the password for your email account.
The reason would be security: it prevents finding out which user names exist based on failed attempts.
This should be balanced with the user experience; if you're told that either your user name or password is incorrect, it can be perceived as very unhelpful or annoying.
198
Common sense dictates that an ambiguous message is better because an attacker would be unable to know if they had guesses a correct username.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
