Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I was always under the impression that whenever you provide a login interface and the user does not provide valid credentials you never confirm which of the username and password was incorrect as this can aid hacking attempts?
It would seem that wikipedia.org go against this standard of practices;
The answer is case-specific.
On one hand, you have public-usernames such as in websites that host forums such as StackOverflow and, in your example, Wikipedia. The term “public”, in this sense, is used to mean that it is used as a public identifier for all to see. In these cases, it wouldn’t make any sense to mask the fact that a username exists or not in a login form – this information is publicly accessible. Be it a page to view specific user’s information or even by scanning every page on the website – you’d be able to enumerate a full list of users (at least, those that have contributed) with little effort.
On the other hand, you have private-usernames, such as ones used in banking applications. As a bank website would not (or at least, should never) display actual usernames on their site to anyone anywhere – the username is used purely as a website-identifier and authentication tool. In this case, it makes good sense to give a warning such as “The username/password combination you used is invalid.” opposed to “The username you entered does not exist.“.