Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Describe the bug
Login attempts expose if the username is wrong
Steps to reproduce (if necessary)
Steps to reproduce the behavior:
Return the same generic error message if username or password is wrong, so it's not as easy to get the login.
Version or last commit:
Thanks for submitting this. I'm open to feedback from more people, but this was a conscious design decision to prioritize usability over obfuscation, particularly because:
But again, I'm open to any further input.
Google's login process is that if you put in a correct email username, it will automatically accept it and then you just have to enter the password. If your email handle is wrong it'll say so:
Microsoft's Live Outlook.com service is very similar to how they handle this, telling the user if they have entered the right login first, and only then asking for a password:
There's an alternative option to cosider where 'forgot password' would just ask for the user's email address, and then the received email would be like:
Renew your password by clicking here: [password reset link]