

“Invalid email or password.” Really? - merty
http://www.mertyazicioglu.com/2012/10/14/invalid-email-or-password-really/

======
gingerlime
I'm not saying you're completely wrong here, but from a security standpoint,
as a site owner, you really don't want to give any information that can be
used against you, and your own users. To put it bluntly, this approach is
kinda "you're not a user deserving a 'user-experience' until you actually
proved that you are a real user".

I think it really depends on the type of site and its concerns about security.
I'll give you two extreme examples:

* A hobbyist site for knitting, targeted at elderly people. Perhaps it should care more about the user experience, helping people to login even if they made a typo, than to protect from hackers finding out which email accounts exist on the site.

* Some bizarre highly-personal fetish site. Knowing whether or not an email address is registered on this site is in itself something worth protecting. Not to mention increasing the chances of then being able to hack into one of those accounts.

Basically what I'm saying is that security is almost always a trade-off, and
it depends on the site and its user expectations.

------
dsl
You should check out
[https://www.owasp.org/index.php/Information_Leakage#Accident...](https://www.owasp.org/index.php/Information_Leakage#Accidental_leaking_of_sensitive_information_through_error_messages)

You might increase usability slightly, but in exchange you are allowing
attackers to cut the work they need to do to compromise your users accounts in
half. If you use email addresses for login, you are also allowing spammers to
verify valid email addresses against your system for spam or phishing attacks
later on.

~~~
merty
I'm aware of the fact that this makes attackers' jobs easier. However, many
websites (including Codecademy) tells you whether the email address you
provided is registered or not, when you visit the Forgot Password page. If you
are displaying a message such as: "If the email address you provided is
registered, you will receive an email shortly." then I can actually believe
that your main concern is security and that's what prevented you from
displaying a clearer error message.

Just added this at the end of the post for clarification.

------
OafTobark
Shouldn't you know which email you signed up an account under since

A) They emailed you the notice (most likely this email), and

B) Most people only use one email address for personal stuff. Work emails
don't count.

------
jfaucett
the only reason I don't do this is because a hacker could potentially guess an
email or username until its correct, then brute force his way in with a
password (because a lot of users don't make secure passwords that are long,
multi characters, etc). Maybe it makes it a little bit more difficult but for
me its worth it. Also, even google does this and I think most end users are
accustomed to seeing this message.

~~~
merty
I knew someone would say this :)

This is not an excuse for most of the sites (including Codecademy) because
when you follow the "Forgot password" link and type in an email address, they
instantly tell you whether that email address exists or not.

If you are displaying a message such as: "If the email address you provided is
registered, you will receive an email shortly." then fine :)

~~~
gingerlime
Very good point. This should be mentioned on the blog post too, and maybe
brought to the attention of the site owners. It definitely makes a stronger
case for either:

* avoiding giving away this piece of information on the forgot password screen

or

* telling the user whether it's their password or username that is wrong.

You might want to take a look at this security stackexchange question
<http://security.stackexchange.com/q/13079/7306>

update: I noticed this was in fact mentioned on / added to the blog post.

