'The name or password you entered is not correct' Why not narrow it down?

:mad: This is almost a pit rant but I am curious if there is a factual answer to this. There have been many times I have wasted time trying to figure out if I even had the right user name and eventually had to wait until I got home to log in.

I have a variety of user user names and passwords I use, often I have to modify them do to a sites name or password rules - and of course sometimes they are case sensitive and sometimes they are not. On most sites if you get your user name or password wrong you get a generic message not telling you which one is wrong :mad: Is there a technical or other reason for this?

It’s mostly a security reason. Usually a hacker neither knows the username nor the password. If the error message tells you that you have an incorrect password only then you could learn from that information that the username is indeed correct.
An even more egregious security flaw would be if it tells you that the username is incorrect for the password. Because you would then know that someone has this password and as usernames are usually less closely guarded, you could hack in with less effort

It is for security purposes and to make them harder to crack which is the point of user name/password combinations in the first place.

Thirded. It was explained to me when I was first trained on a username/password system in the late '80s that the purpose of not telling you which you got wrong was to prevent someone from cracking the two halves independently.

Password is for security, user name is so you can identify your account.

To me it seems like a massive increase in inconvenience for a small increase in security. If you use a halfway decent password how easy is it for someone to crack it? Most web sites block you out after a couple attempts, so a brute force cracker is useless - Right.

If it weren’t for different rules on user names/ passwords it would be much less of an inconvenience.

Wrong. Usernames are also for security. Under ideal circumstances, they can even be the equivalent of second passwords.

Let’s say you have two locks on your front door: one is a deadbolt and one is a lock on the knob. The deadbolt is a lot more secure than the knob lock; does that mean you leave a copy of the key to the knob hanging by your door?

While it is more convenient to legitimate users who make typos to have a more specific message, it would also be more convenient to people trying brute force attacks. You basically are telling them whether the user name they entered was valid or not. That strikes me as a big increase in risk for a small increase in convenience.

In addition, it seems impossible to give back a reliably correct error message if you want to explicitly say “bad user name” or “bad password”. Consider the following user name and password combination on the system:

User name = user1, Password = password1
User name = user2, Password = password2

If you are “user1” and accidentally type in your name as “user2” but use the correct “password1” password, what is going to happen? As far as the system is concerned the user name is valid (just not yours), but the password didn’t match. So you’ll get a “bad password” response. If there is anything worse then a generic response it is a specific response that is completely misleading and wrong! You’ll spend the rest of the day cussing the website while carefully trying your password over and over again, not bothering to check your user name.

As I mentioned above, a time limit between attempts or being locked out after a certain number of failures could effectively prevent brute force attacks - right?

They could tell you ‘user name does not exist’. Of course if you accidentally typed a name that does exist it could cause frustration.

That’s exactly the situation that was presented in the post you were replying to…

I was agreeing that there is one legitimate reason for not identifying if the name or password is incorrect.

Anyone who thinks that keeping the username secret is good security is someone I don’t want getting anywhere near my security systems. Usernames are designed to be public knowledge, and many systems won’t work without knowing other peoples’ usernames. If security isn’t good enough if usernames are known, then security isn’t good enough.

I only disagree with this post insofar as you have generalized from most systems to all systems. Every library I’ve ever worked at has expected circulation, supervisor, and cataloging usernames to be kept more or less as secret as passwords from the general public. I imagine that a lot of “staff only” computer accounts are the same way. If you don’t believe me, go into a bank and ask the teller to tell you what username she or he uses to log in to the retail banking application they use at their terminal. I’m willing to bet you will not find out.

If you typed in a user name that didn’t exist it could say “user name does not exist”. If you type in a user name that does exist with the incorrect password it could never tell you “bad password” because there is a chance your password was just fine but you mistyped the user name. At this point you’d need a generic “user name and password mismatch” message.

It could say bad password and 99% it would be right (well, technically it would be right all of the time), and 1% of the time your mistaken user name actually matched one that is being used and it would be a legitimate frustration for the user.

Of course usually when I use something different than my usual user name it’s because the website will not let me use my usual name for some reason - it would be nice if they could tell you ‘that username is not valid on this site’ or a reminder that usernames are case sensitive (if they are).

As nearly as I can tell, all of the suggestions you’re making for changes, Anachronism, would add processing time to something most people want to get over with as quickly as possible. I’m perfectly happy for any system I log in to to do one check of my username/password combo and, if it’s invalid, return me one error message, putting the burden of doing the thinking back where it belongs: on me.

The phrase bad password refers to it being bad for the accompanying username, not as a disembodied password.

I could try using my housekey on my neighbor’s house. The mistake is localized to “wrong key” for this house. Once you propose a username, all actions/denials are to be based on that username.

All this says is that a lot of people think that the usernames are secure. But the folks who designed those systems that they’re using probably did not treat the usernames as secure, and so it would probably be easy to learn them.

There is no such thing as a *bad extra layer of security. For example, when I log on through a VPN rather than connecting directly to my company’s network, in addition to my username and password, I also have to enter a PIN into a software token application to generate a second, short-term-use authentication code. Would you say “If security isn’t good enough if passwords can be known, then security isn’t good enough”?

Anyone who thinks that keeping the username secret, in combination with other measures, is *bad *security is someone I don’t want getting anywhere near *my *security systems. I direct you again to the door lock analogy: *just *locking the knob would be stupid, but just because you have a deadbolt doesn’t mean it would be smart to hand everyone the key to the knob.

*Caveats in place, of course, for systems that are so convoluted that people start, say, keeping hardcopy lists just to manage them, which could then easily be stolen. But we’re talking here about something that’s already an integral part of the system: your login.

The system has to check if the username exists before it can check if there is a password to go with it. If it does not exist it does not seem like any extra effort to tell the user.

As Driver8 said: this isn’t a security issue; it is just a user-interface issue. The site doesn’t know what the user intended. All it knows are (a) The username is valid/invalid, (b) If the username is valid, the password is valid/invalid for that username. From these two pieces of information it cannot know if you mis-typed the username or the password.

As a result, most sites will tell you ‘invalid username or password’. It is easy to implement and always correct. Occasionally a site will tell you specifically whether it is (a) or (b) – ‘unknown username’ or ‘invalid password’, but this information can be incorrect and thus may not be considered good user-interface design.

As others have said, giving you a ‘unknown username’ makes it easy for crackers to find valid usernames, but even if there were no such thing as crackers, good user-interface design would stick with ‘invalid username or password’.