"Username and/or Password Invalid" - Why do websites show this kind of message instead of informing the user which one was wrong?

If a malicious user starts attacking a website by guessing common username/password combinations like admin/admin, the attacker would know that the username is valid is it returns a message of "Password invalid" instead of "Username or password invalid".

If an attacker knows the username is valid, he could concentrate his efforts on that particular account using techniques like SQL injections or bruteforcing the password.


As others have mentioned, we don't want you to know whether or not it was the username or password that was wrong so that we are not as susceptible to brute-force or dictionary attacks..

If some websites wanted to let their users know which one failed while still being in the green security-wise, they could implement "honeypot" usernames (such as Administrator, admin, etc.) that would alert website admins that someone is snooping around their website. You could even setup some logic to ban their IP address if they were to attempt to login with one of those "honeypot" usernames. I know one person who actually had a website and put in their source code an HTML comment such as "Since you keep forgetting Richard: Username: cheese Password: Burger123" near the login box with the intent to monitor any IP address that attempted to use that username/password. Adding monitoring logic like that is a lot of fun when you're developing a website.

Of course, logging invalid login attempts and adding appropriate logic to deal with those IP addresses works too. I know some would disagree with me, but depending on the type of website, I don't think it is too big of a deal to let the user know as long as you add additional security measures in preventing different kinds of attacks.


My favorite secure implementation of this is done by a bank I use. If I type in my username correctly, it will say "Welcome Jimbob!" and then prompts me to answer security questions (if I have never logged in from this browser on this computer), wait for me to answer the security questions correctly, and then will let me see my security image/caption and input my password. If I type in the wrong username, I will see something like "Welcome Bessie/Kareem/Randal!" where the displayed name is very uncommon — though you will always be the same name for a same username (I'm usually not sure between one or two usernames; and the wrong one consistently calls me Frenshelia). I assume its implemented as some sort of non-cryptographic hash applied to any inputted username that uniquely map to one username on a long list of fairly uncommon names. This lets legitimate users know if they typed in the wrong username (as even if you have an uncommon name like Bessie; its very unlikely that the wrong username you randomly guessed maps back to your specific uncommon name), without making it obvious to people trying to find random accounts that the username doesn't exist.

As an aside: I'm not particularly fond of the security questions/security image part, which seems to border on security theater. A sophisticated attacker doing a man-in-the-middle (MITM) attack (e.g., after installing fake certificates in your web-browser; and DNS/ARP spoofing to point yourbank.com to their IP address) could wait until you try logging into the site, then have an automated script sign in on their computer to the real site, get the security questions, display the chosen security questions back to you, send back the answers to the site themselves from their browser, wait to get the security image, serve back the security image to you, and then wait for you to input the password from their end at which point they use the password to log in as you and do malicious things. Granted the questions+image makes the process more difficult than having all the time in the world to collect all the security images for a variety of attacked usernames by turning it into an attack that must be done in real-time and possibly leaves a suspicious signature.