Jump to content

Feature reg: tell user if he doesnt exist ;)

Featured Replies

Posted

If i try to log in with acoount what is deleted, login screen says just

Username or password incorrect.



How about:

Username "****" doesn't exist in our database



or something?

It is widely considered to be very poor security practice to indicate for a failed login which aspect of the details is incorrect. As a general rule, no properly secured application will ever tell you whether it was the user name or password which is incorrect.

My personal opinion is that it is unlikely you'll ever see this.

  • Author

You have a valid point. Maybe its betters this way.

Previous versions of IP.Board showed a different error message if the username was invalid vs if the password was invalid. For the reasons Mat is stating above (poor security practice) we changed this in late 2.x or early 3.x releases.

Archived

This topic is now archived and is closed to further replies.

Recently Browsing 0

  • No registered users viewing this page.