Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Which error message is better when users entered a wrong password?

Tags:

Is there any differences between the following two error messages from security point of view when users entered a wrong password?

Wrong username or password.

Wrong password.

For example, when you enter a wrong password on the Gmail.com, it will tell you "The username or password you entered is incorrect".

Is there any considerations for security reasons? I think the error message: "The password you entered is incorrect" is more clear to users, And, What's more, it's very easy to check whether a username is exists on the Gmail.com: just click "Can't access your account?" and enter the username. If the username doesn't exists, it will tell you.

like image 245
luin Avatar asked Feb 17 '13 14:02

luin


People also ask

What is the best way to show an error message when a user inputs some wrong data and submits?

Error messages should be clearly indicated You can do this by: Highlighting the field in question visually, usually with an outline around the input in a bright noticeable colour (usually red) Adding additional icons or visual cues to draw attention to the mistake.

What is a good error message?

A good error message has three parts: problem identification, cause details if helpful, and a solution if possible. Whenever an error occurs, user wants to fix it as soon as possible. The error message should have enough information for user that guides him how to get out of the erroneous situation.

Which error message is a good example of one to show do you Users that have got their password wrong?

I think the error message: "The password you entered is incorrect" is more clear to users, And, What's more, it's very easy to check whether a username is exists on the Gmail.com : just click "Can't access your account?" and enter the username. If the username doesn't exists, it will tell you.

Which could be a proper error message for failed authentication?

The error message states “Authentication failed! Try again.” You may have locked your account after too many attempts and your account will need to be reset. Contact the Help Desk if this is the case. If you see this error message, you will need to clear the cache of the current browser that you are using.


1 Answers

The idea is to not give hackers extra information. If you say wrong password, you've told a hacker that they have a correct username, and vice-versa. Although what you've said is true, on some sites it is possible to determine if you've guessed a username via other means.

like image 83
Mike C. Avatar answered Oct 01 '22 03:10

Mike C.