当用户输入错误的密码时,哪种错误消息更好? [英] Which error message is better when users entered a wrong password?
问题描述
从安全的角度来看,当用户输入错误的密码时,以下两个错误消息之间是否有区别?
Is there any differences between the following two error messages from security point of view when users entered a wrong password?
用户名或密码错误.
Wrong username or password.
密码错误.
例如,当您在Gmail.com上输入错误的密码时,它将告诉您您输入的用户名或密码不正确".是否出于安全原因考虑?我认为错误消息:您输入的密码不正确"对用户来说更清楚,而且,很容易检查Gmail.com上是否存在用户名:只需单击无法访问您的帐户" ?"并输入用户名.如果用户名不存在,它将告诉您.
For example, when you enter a wrong password on the Gmail.com, it will tell you "The username or password you entered is incorrect". Is there any considerations for security reasons? I think the error message: "The password you entered is incorrect" is more clear to users, And, What's more, it's very easy to check whether a username is exists on the Gmail.com: just click "Can't access your account?" and enter the username. If the username doesn't exists, it will tell you.
推荐答案
该想法是不向黑客提供额外的信息.如果您输入的密码错误,则表示您已告知黑客其用户名正确,反之亦然.尽管您说的是正确的,但在某些站点上可以通过其他方法确定您是否猜到了用户名.
The idea is to not give hackers extra information. If you say wrong password, you've told a hacker that they have a correct username, and vice-versa. Although what you've said is true, on some sites it is possible to determine if you've guessed a username via other means.
这篇关于当用户输入错误的密码时,哪种错误消息更好?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!