Login Security - Do you know the correct error message for an incorrect user name or password?
19/02/2015 12:39 PM by
When a user fails to sign in due to invalid email or
password, you might have the well intention of letting them
know by telling them exactly which one is invalid.
However this is not secure. It makes it easier for bad guys
(e.g., hacker) to get access to your account and do
malicious things to the site and with your information.
The more secure message should be 'Invalid email or
- Figure: Good example - for security reasons, you don't say if it was an invalid user name or password.
Login.aspx for a real example.
Do you feel this rule needs an update?