Error notifications for users who cannot log in to a site

I recently read an article about notifying users when they have an invalid username/email or password.

The thinking is, if there’s an invalid username/email or password, you shouldn’t even acknowledge that the username/email was correct. This will confirm to a hacker that the username/email does exist, thus they have part of the credentials needed to log in. I even mentioned this as a “best practice” in my PHP book.

The article I just read though is against this concept, thinking that most hackers can already determine the username/email just by trying to sign up with that same entry. When they find that they cannot, they will have confirmation that the username/email is in use. As such, the article suggests you should be more explicit in your reasons for not being able to log in.

However I recently found another alternative for this. There was a service that I wanted to sign up for, and I not only didn’t know my password, but I didn’t know if I had an account. Upon signing up, I received the following text (on the website).

“Your request has been processed. In order to maintain the security of your account, you will receive an email containing a verification code and a link that will allow you to set a new password. You must follow the instructions in the email in order to set a new password.”

Then in the email I received, I was told that I never had an account! Yes, the original article had some other tips, but I thought this was a clever work-around for that specific point.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store