Login Security - Do you know the correct error message for an incorrect user name or password?
  v1.0 Posted at 19/02/2015 12:39 PM by Rebecca Liu

When a user fails to sign in due to invalid email or password, you might have the well intention of letting them know by telling them exactly which one is invalid.

However this is not secure. It makes it easier for bad guys (e.g., hacker) to get access to your account and do malicious things to the site and with your information.

The more secure message should be 'Invalid email or password'.

Good message for invalid account
Figure: Good example - for security reasons, you don't say if it was an invalid user name or password.

See Login.aspx for a real example.

Related rules

    Do you feel this rule needs an update?

    If you want to be notified when this rule is updated, please enter your email address: