Invalid username or password. Seems like a pretty simple message and we’ve all seen it. Sure, it’s a pain, but remembering passwords is one of the tiny aches of life on the web.
I have no problem with the error message as a whole. I only take issue with the or. If you have a site that includes a registration/login component, give as good a message as you can. Don’t leave the user wondering, “is it the username or is it the password?”
Login error message at NewsGator
Login error message at Backpack (by 37Signals)
From the programmers perspective, I see how the or came about. They are probably taking the username & password entered and checking them both against the database at the same time. How about grabbing the password that matches the username and then comparing it.
That way, if you don’t get a return for the username, you can say:
Invalid username.
And if you do get a username, but the password doesn’t match, you can say:
Invalid password.
(Extra credit: rewrite those error messages to be even friendlier).
I’m not a security expert, so maybe there is a reason that more sites don’t do this. But as far as I can see, it’s just an extra conditional statement. Your users will appreciate having one less thing to guess.
It’s driven by security: if you don’t know a valid username, all the passwords in the world (including a correct one) are worthless. If someone is trying a brute force attack on a site, telling them whether they have a valid username is a big leg up, since then you can use a dictionary attack on the password side.
I told you I’m not a security expert! This makes some sense, but I’m not so sure it’s that big of a leg up, especially given trade-off of the trouble it can give a visitor trying to guess his own credentials.
But I guess this is why I’m not in security. Heck, I don’t even want people to register at all.