Kevin ClarkUX Director, Shopify

Invalid Username or Password: a useless security measure

Kevin Burke on his blog:

If you tell an attacker the email address is wrong, they’ll try a different one. If you tell them the password is wrong, then an attacker knows that the username is correct, and can go on to try a bunch of passwords for that username until they hit the right one. So sites won’t tell you which one is wrong, to try and avoid the information disclosure.

Unfortunately this assumes that there’s no other way for an attacker to discover whether a username/email address is registered for a service. This assumption is incorrect.

99.9% of websites on the Internet will only let you create one account for each email address. So if you want to see if an email address has an account, try signing up for a new account with the same email address.

I’ve personally always hated this. Shouldn’t we try to communicate as clearly as possible to our users? Most people have multiple email addresses and it’s easy to forget which one you use for which service. If it doesn’t really make things more secure then I don’t see why anyone should continue doing this.