20

Umm Trello tells you specifically if the password is wrong... /:

Comments
  • 1
    "email or password wrong" on any other site is exactly the same or am I missing something?
  • 1
    @JoshBent No you are right, but where do you see it saying it could be the email or the password... it's blatantly stating the password is incorrect.
  • 3
    So the check the email then the password to match.
    It’s kinda ok but at the same time confirms the email exists in that db.
  • 1
    @C0D4 exactly, which isn't the convention. If you type in an email that doesn't exist it tells you it doesn't.
  • 0
    @dalastTomCruise nobody checks for that, its just a blanket spam of data, if one sticks, they save it.

    It doesnt matter if it tells if the email exists or not, nobody would go out his way to make non fully automated solution that scales across thousands of sites.

    Though if one wants to be real picky, indeed it does reveal more than the previous mentioned message.
  • 1
    @JoshBent ok then why isn't it a convention across the web? Would really help with login to know if you are entering a valid email, because what if I used x instead of y for email or maybe even z... then it should would be convenient to get notified of it then... btw I entered both and it notified me that the password is invalid. I get your point don't get me wrong, because knowing an email is valid isn't what gets you into an account it's cracking the password that pairs with the email.
  • 1
    @JoshBent Also we aren't just talking about automated scripts that try to break a combination... what if someone who knows me trys to enter my account and logically they try to use the emails they know I have well it would be nice if it didn't tell them that it's a valid email or not because it'll make it harder for that person to get the combo right,
  • 0
    @dalastTomCruise

    I wouldn't say that --
    It heavily depends what attack we are talking about, just automated leaked data spam across entire networks of websites or dedicated leaks trying to fit them to something with high hit rate like paypal or amazon etc.

    So just having it as standard, does sound rather dangerous and I see "if you can make it harder, do it", but it doesnt prevent from the attacks your post implied in my eyes.
  • 1
    @dalastTomCruise you posted while I was typing, so my answer might be old.

    edit: point and post still stands, as I basically agreed and stated the same.
  • 1
    @JoshBent haha no worries bud and I get your point completely. I'm not saying it's horrible for security, just pointing out that they are not following a security convention
  • 4
    I've read an article on this topic few weeks ago:
    https://hackernoon.com/username-or-...
  • 1
    @dalastTomCruise Send me your password, I'll help you fix it 😇
  • 0
    @HomeAlone haha thanks for the share and insight. Makes sense... I might follow trello's convention for the app I'm working on then.
  • 1
    @dalastTomCruise I think the biggest issue with confirming that email exists but the password is wrong is not so much security as privacy related.

    hardcorefurrypornclub.com > boss@company.com. Yup, we have that email on record, just not with that password!
  • 0
    Every one is doing this. Gmail, outlook and so on. Enter your email id first and then password.
  • 0
    I do show if the email is correct or (if the email is correct) the password is correct. This is what the users like, and I've been such an user, and I remembered the frustration of an output that didn't say what's wrong. 😔
  • 1
    Just for the record, passport JS docs specifically state the possibility for phishing using a message for password or username, instead of both. There's an actual section the docs about it. Just saying.
  • 0
  • 1
    @JoshBent I honestly think I must have remembered that incorrectly. I'm looking at username and password in passport docs and can't find it. My bad. (It was probably an additional statement from the person teaching me passport at the time and that's why I got confused). Sorry for the inaccuracy.
  • 1
    @ChachiKlaus no worries, just was surprised that they would include that.
  • 1
    @abcdev I entered my email... there's nothing in the login because I didn't want to show that
  • 1
    @bittersweet read@HomeAlone link... it basically makes the convention "password or email" pointless... if someone wanted to find out if it does they can just try a sign up form and see if it's taken.
Add Comment