Comments on: Do sweat the small stuff

By: Weex

Weex — Tue, 09 Oct 2007 16:58:50 +0000

You could just show smth like:
“If the email address is valid then an e-mail has been sent to this email address with information on how to restore your password.”

By: Jay Levitt

Jay Levitt — Tue, 09 Oct 2007 00:32:03 +0000

Until about two weeks ago, I also believed that a login form was more secure if it didn’t tell you *which* field was invalid. After all, why give a potential hacker more information than they need?

Then I read a blog entry that pointed out what, in retrospect, should have been blindingly obvious: If a hacker wants to know whether the username is valid, all they have to do is click the “Forgot password?” link. Most sites will tell you either “we sent a reminder/reset” or “we don’t know who that is”. And the alternative - don’t even give feedback about whether you’ve sent off an e-mail - is horrid.

So, yeah, go ahead and tell people which field they need to fix. It’s OK.

By: Keeto

Keeto — Mon, 08 Oct 2007 21:06:22 +0000

I agree with much of the things you said. Being a webapp developer myself, I often find myself wanting to download and run my own copies of many web applications, simply because I want to change little things that are too annoying for me..

But with regards to login forms, I guess many application developers still feel the need to be vague. One point that always sticks out whenever discussing user feedback with logins is how much information to share with the users regarding the authentication process.

It does make sense. If you give only a foggy hint regarding the authentication, you increase the amount of time potential hackers need to break it. The more information you share, the lesser the hackers have to work.

Of course, it doesn't follow that being vague secures you application more. Security, after all, isn't just limited to basic authentication. But many have been taught that this method helps, and I guess that's why it sticks..