You know what I don’t like? I don’t like it when I try to log in to some website with the wrong username or password and they tell me that I have the wrong username or password. What they should tell me is that I have the wrong username, or that I have the wrong password, but not that I have the wrong username OR password. Because then I have to think. I have to ask myself many things: Did I mistype my password? Did I type correctly but try the wrong password? Which email address did I sign up with? Is my username my email address or is it something else? Have I even ever signed up for this site?
It’s like telling me that either my shoelaces are untied or I have something stuck in my teeth. Thanks. Or not. Now, please, tell me what to do.
If they would just tell me, “That username doesn’t exist,” or “Incorrect Password,” then I would have much less to think about. My thoughts would just be, “Oh, I guess signed up with a different email address, or I haven’t registered yet,” or “I must have mistyped my password.” They could tell me which road I’m on, rather than leave me stranded, blindfolded at the crossroads. So why don’t they?
It’s either because they’re lazy and/or mean (which is probably not the case) or because someone has the wrong idea that this is more secure. You don’t want to let an impostor just sit there and try lots of different passwords to get into an account that’s not theirs, and if the impostor doesn’t know whether that username exists or not, then the account is safer—hence the vague error message: “Username or password is incorrect.” Which one is incorrect? It’s a mystery. Except that it’s not. There’s an easy way for anyone to tell if a username exists or not, which is to go to the “Forgot password?” page and enter the username in question. Upon submitting the username, you’ll be told either that “You’ve been sent instructions on how to reset your password,” which means that the username exists or “That username does not exist,” which means that the username does not exist. Because of the “Forgot password?” functionality, the vague error message is not more secure because it’s vague—it’s just more frustrating because it’s vague. There’s no reason for the vagueness. So please, Error Message Writers, just tell me what road I’m on.
If I enter a registered username with the wrong password into Facebook, I see this:
If I enter an unregistered username into Facebook, I see this:
If I enter a registered username with the wrong password into Amazon, I see this:
If I enter an unregistered username into Amazon, I see this:
See the difference?