当用户输入错误的密码时，哪种错误消息更好? [英] Which error message is better when users entered a wrong password?

问题描述

从安全的角度来看，当用户输入错误的密码时，以下两个错误消息之间是否有区别?

Is there any differences between the following two error messages from security point of view when users entered a wrong password?

用户名或密码错误.

Wrong username or password.

密码错误.

例如，当您在Gmail.com上输入错误的密码时，它将告诉您您输入的用户名或密码不正确".是否出于安全原因考虑?我认为错误消息:您输入的密码不正确"对用户来说更清楚，而且，很容易检查Gmail.com上是否存在用户名:只需单击无法访问您的帐户" ?"并输入用户名.如果用户名不存在，它将告诉您.

For example, when you enter a wrong password on the Gmail.com, it will tell you "The username or password you entered is incorrect". Is there any considerations for security reasons? I think the error message: "The password you entered is incorrect" is more clear to users, And, What's more, it's very easy to check whether a username is exists on the Gmail.com: just click "Can't access your account?" and enter the username. If the username doesn't exists, it will tell you.

推荐答案

该想法是不向黑客提供额外的信息.如果您输入的密码错误，则表示您已告知黑客其用户名正确，反之亦然.尽管您说的是正确的，但在某些站点上可以通过其他方法确定您是否猜到了用户名.

The idea is to not give hackers extra information. If you say wrong password, you've told a hacker that they have a correct username, and vice-versa. Although what you've said is true, on some sites it is possible to determine if you've guessed a username via other means.

这篇关于当用户输入错误的密码时，哪种错误消息更好?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！