Home/ Questions/Q 452159
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T22:02:41+00:00

Here is the question I have been posed: What is the best way to

  • 0

Here is the question I have been posed:

“What is the best way to handle in valid credentials when logging into a site. Do we tell the user if their username was invalid? Or likewise if their password is invalid?”

I did some searching, but I’m having trouble finding a site with some best practices for this, to refer them to.

My Question for the community here:
Does anyone here know a site that has some good guidelines/best practices for this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The most authoritative discussion I can find on this issue is from the “Web Security Testing Cookbook,” Recipe 12.8.

    The book points out:

    1. You should provide a generic message indicating either the username or password was incorrect; revealing that just the username is correct allows attackers to enumerate valid usernames.
    2. Account lockout functionality, after X number of tries, also carries the same risk; attackers can lockout accounts to find out if the usernames were valid or not.

    You can read the whole “recipe” via Google Books here:
    http://books.google.com/books?id=VmrSJ3V-s_MC&lpg=PA249&ots=cU7V62FQOA&dq=web%20security%20reveal%20valid%20username&pg=PA248#v=onepage&q=web%20security%20reveal%20valid%20username&f=false

    • 0