When I try to log into a website & I input incorrect login details, why does it say "username or password is incorrect"? Why does it not specify which?
-
7Because one or the other would prove that an account exists or not and thus leak information that could be used by attackers.– Mokubai ♦Commented Jul 21, 2023 at 18:20
-
1Don't knock the question. if you're not terribly security-aware it's a reasonable request.– TetsujinCommented Jul 21, 2023 at 18:25
-
Reasonable but IMO much better suited here security.stackexchange.com and kind of off-topic here.– Destroy666Commented Aug 15, 2023 at 17:06
1 Answer
This is an elementary security measure. By not telling you which is incorrect, it leaves one less attack vector for a bad actor.
Hackers could be bombarding the server with a mathematical set of 'guesswork' login details. By not telling you which is incorrect, it means the hacker doesn't know if they're found a real account & therefore just need to hack the password, or if the account doesn't exist at all.
This makes it a) harder to hack & b) more likely they won't bother.
-
1100% agree. There may also be a secondary reason - Its often easier to verify that the username + password hash exist for a user (1 database query) compared to a lookup of username and a second query for password - which would be neccessary to determine which is incorrect. (of-course, this is very design dependant and may not be relevant.)– davidgoCommented Jul 21, 2023 at 19:19