Why are they not saying “your password is wrong”? [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 3 months ago.

Improve this question

Most of the websites says "username or password is wrong" whenever we typed wrong password. Why are they not saying "your password is wrong"?

Answer 1

Just ignore the security issue of saying "Your password is wrong". First we can check whether it is possible to say "Your password is wrong".

I posted this question in our college group and I felt one answer from the group is worth positing here.

A website can say that 'your password is wrong' only if the website is sure that you typed your username correctly. How do the website know that you typed your username correctly? There is no way to know that.

The authentication failure may occur in three ways:

1. You may enter correct username but wrong password.
2. You may enter correct password but wrong username.
3. You may enter wrong username and password .

The website process it as given below.

a. If the username is not in database, the website can't say that 'Your username is wrong'. Because the website don't know whether the password you entered is your correct password.So the website can say 'Username or password is wrong.' only.

b. If the username is in database, the website can't say that 'Your password is wrong'. Because the website don't know whether the username you entered is your correct username. So website can say 'Username or password is wrong.' only.

Answer 2

So that if someone is trying to guess a valid username and password they are not told "Yes, you managed to guess a valid username". That may or may not be a useful thing for any given site if usernames are visible in other ways.

Answer 3

Apart from security, it may also be a 'lazy' design choice too. Why bother checking seperately if the username is wrong or the password is wrong, when you can just write one query and output whether it was success or not, ultimately the user will know themselves if they got one or the other wrong.

Answer 4

It can also be sure laziness or code cleanliness too. Simple example below.

If( password != submittedpw || username != submittedusername)
{
    Print 'username and or password is wrong';
}

The above is much quicker to do than

if (password != submittedpw)
{
    Print 'password is wrong';
}
elseif (username != submittedusername)
{
    print 'username is wrong';
}