Sep 30, 2011

Incorrect Username or Password. “OR”?!

You know what I don’t like? I don’t like it when I try to log in to some website with the wrong username or password and they tell me that I have the wrong username or password. What they should tell me is that I have the wrong username, or that I have the wrong password, but not that I have the wrong username OR password. Because then I have to think. I have to ask myself many things: Did I mistype my password? Did I type correctly but try the wrong password? Which email address did I sign up with? Is my username my email address or is it something else? Have I even ever signed up for this site?

It’s like telling me that either my shoelaces are untied or I have something stuck in my teeth. Thanks. Or not. Now, please, tell me what to do.

If they would just tell me, “That username doesn’t exist,” or “Incorrect Password,” then I would have much less to think about. My thoughts would just be, “Oh, I guess signed up with a different email address, or I haven’t registered yet,” or “I must have mistyped my password.” They could tell me which road I’m on, rather than leave me stranded, blindfolded at the crossroads. So why don’t they?

It’s either because they’re lazy and/or mean (which is probably not the case) or because someone has the wrong idea that this is more secure. You don’t want to let an impostor just sit there and try lots of different passwords to get into an account that’s not theirs, and if the impostor doesn’t know whether that username exists or not, then the account is safer—hence the vague error message: “Username or password is incorrect.” Which one is incorrect? It’s a mystery. Except that it’s not. There’s an easy way for anyone to tell if a username exists or not, which is to go to the “Forgot password?” page and enter the username in question. Upon submitting the username, you’ll be told either that “You’ve been sent instructions on how to reset your password,” which means that the username exists or “That username does not exist,” which means that the username does not exist. Because of the “Forgot password?” functionality, the vague error message is not more secure because it’s vague—it’s just more frustrating because it’s vague. There’s no reason for the vagueness. So please, Error Message Writers, just tell me what road I’m on.

If I enter a registered username with the wrong password into Facebook, I see this:

If I enter an unregistered username into Facebook, I see this:

If I enter a registered username with the wrong password into Amazon, I see this:

If I enter an unregistered username into Amazon, I see this:

See the difference?



  • Lee says:

    This is a security issue. I’ve been through a couple hundred anal probes/security reviews with companies and this is on every single one of the reviews. They don’t want you to leak any information to potential intruders.

    • But do these same companies also have the “Forgot password?” functionality? If they do, and they give two different responses to existing and non-existing usernames, then it’s not secure. If they give the same response to both existing and non-existing usernames—that a reset password link has been sent to them, then that would be secure. The message would have to be something like, “If that username exists, then we sent you instructions on how to reset your password.” But that would frustrating for someone who believes that they entered an existing username but in fact did not. They’d be stuck waiting for nothing.

  • Lee says:

    Some of the more security paranoid folks, mostly , banks what you to disable or disallow the Forgot Password functionality for them. The ones that do not have an issue of it, one of the checks is just a generic message when you click it.

    When it comes to security most of them don’t care how much it frustrates users, because all it takes is one breach to ruin not only the brand but risk the business.