Telling them "correct password, wrong email" seems like a bit of an information ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

andrewstuart2 on Dec 1, 2014 | parent | context | favorite | on: “Invalid username or password” is a useless securi...

Telling them "correct password, wrong email" seems like a bit of an information leak if you ask me.

I think a "did you mean?" output in case of a bad password as long as there are lexically similar usernames in the database.

masklinn on Dec 1, 2014 [–]

Ignoring the fact that doing that would be retarded, if you're following modern practices and hashing passwords with KDFs that's not really possible without killing your server.

andrewstuart2 on Dec 1, 2014 | [–]

Sorry, should have added a :-P to indicate my sarcasm.

Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact