6

For credential errors on login forms..

Do you guys follow the “OWASP standard” and won’t let the user know which field (email or password) was incorrect, just a general message or the more UX-way and let them know that it is for example the password that doesn’t match with given email (if it exists)? πŸ€”

Had a minor “discussion” about this with our sales-guy this afternoon why that I’m (as the full-stack, and only, developer there) not that of a fan about the UX-way.. (even thou ‘security’ is a “myth”). 😁

Comments
  • 3
    @Alice when trying to login. “You’ve entered AirChecker69’s password, not yours. Yours is ‘fluffykittens’.”
  • 3
    @Alice Well.. UX > security. πŸ’πŸ»‍♂️The users might even be grateful for reminding them what their password is so that they don’t have to click on “forgot password” and receive it via email in plain text. 🀷🏻‍♂️
  • 3
    ⚠️ A FLAGRANT SYSTEM ERROR OCCURED! ⚠️
    Resolve by logging in correctly.
  • 1
    Google stopped giving a generic error message and displaying different "invalid username" "invalid password" because there are too many ways to check if a username/email address is already registered; in many web apps its possible at registration ("this user already exists").
  • 0
    @sbiewald True, I’ve noticed some other large players using that as well. Indeed some other ways to check it. But they all have strong security measurements for account signins etc. Will probably switch over when I’ve added some extra security measurements.
  • 1
    @Alice Help Me, I "y" Can't Login
    What's the Y?
  • 0
    @Root
    Perfection.

    How about forcing bsod after 1 failed login attempt?
  • 1
    @Alice I haven't heard that one before πŸ€”

    @BertMaurau as for UX vs Security. There's a fine line and the "UX" guy usually wins that war, you can disclose that "something was invalid" but the email/username can be validated anyway.
  • 1
    @Alice that would have something to do with it πŸ˜…
Add Comment