Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Other Why don't we tell the user when it's their password that's wrong..?

  • This topic is empty.
Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #209160
    Jerba
    Participant

    I imagine this is a pretty obvious answer, safety right?

    The process of determining the wrong credential isn’t all that difficult, but why don’t we tell people when it’s their password that’s wrong.

    I’d say it’s probably down to security right? I mean for a hacker with a big list of dumped emails, it wouldn’t be difficult to brute force to see which emails had accounts with a particular website, so is it to essentially prevent this?

    #209166
    Ilan Firsov
    Participant

    Yes security.
    When a malicious person wants to get access to some account he has 2 values he needs to brute force: username and password.
    If we tell this person that one of the usernames he tested actually exists in our database he is left with only one value he need to find (password) which will take much less time.

Viewing 2 posts - 1 through 2 (of 2 total)
  • The forum ‘Other’ is closed to new topics and replies.