Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Enhance login security - Return same generic error for invalid user or password #101
Describe the bug
Login attempts expose if the username is wrong
Steps to reproduce (if necessary)
Steps to reproduce the behavior:
Return the same generic error message if username or password is wrong, so it's not as easy to get the login.
Version or last commit:
Thanks for submitting this. I'm open to feedback from more people, but this was a conscious design decision to prioritize usability over obfuscation, particularly because:
But again, I'm open to any further input.
Google's login process is that if you put in a correct email username, it will automatically accept it and then you just have to enter the password. If your email handle is wrong it'll say so:
Microsoft's Live Outlook.com service is very similar to how they handle this, telling the user if they have entered the right login first, and only then asking for a password:
There's an alternative option to cosider where 'forgot password' would just ask for the user's email address, and then the received email would be like:
Renew your password by clicking here: [password reset link]