I am designing a basic website which access is restricted by a classic login

Question

0

Asked: June 4, 20262026-06-04T04:16:32+00:00 2026-06-04T04:16:32+00:00

I am designing a basic website which access is restricted by a classic login

0

I am designing a basic website which access is restricted by a classic login & password system.

I can’t decide whether I should show a different message when the user enters a non-existing login, and when he enters an invalid password for an existing account.

My first intuition would be not to show a different message, because that would give hints to potential attackers about what is wrong but doing so would sometimes makes more difficult for the user to understand his errors (perhaps he just mistyped his account login and an appropriate error message would be better). On another hand, I often heard that the account login was not a secret (as the password obivously is) and so giving information about it should not lower the security level.

Do you guys have any good practice/rationale that I should follow regarding this ?

Thanks.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-04T04:16:34+00:00

Editorial Team

2026-06-04T04:16:34+00:00Added an answer on June 4, 2026 at 4:16 am

Don’t differentiate these – it is information that can be used by malicious parties.

If they know a username is right, they already have valuable information that you have leaked.

It is a minor inconvenience to your users why exactly the login failed, they still have to enter both username and password, after all.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am designing a basic website which access is restricted by a classic login

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply