*The correct response does not indicate if the user ID or password is the incorr... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Karunamon on Feb 2, 2015 \| parent \| context \| favorite \| on: Authentication Cheat Sheet The correct response does not indicate if the user ID or password is the incorrect parameter and hence inferring a valid user ID. ARGH. This is a usability nightmare - moreso when the recovery system implements the same rule. "Okay, I had an account on this website, which email address was it again?" try logging in a few times "Hm.. I must have forgotten the password. Off to reset!" go through the recovery process recovery page indicates an email will be sent email never comes "Wait, so are they being 'really secure', or is email just broken right now?" wait a couple hours forget about the site

davyjones on Feb 3, 2015 [–]

The trick here is it not go to the reset page but to the signup page. Almost always, there is a message that indicates that the email id is already taken.

(which is why I think that indicating specifically, that the userid was incorrect or the password was, is better UX.)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact