Hacker News new | past | comments | ask | show | jobs | submit login

I've had the same argument many times over error messages for login and forgot password flows. Being security conscious is a way of thinking that many people aren't really capable of and an even greater number have problem maintaining consistently. It's so ingrained in product managers to make their software as friendly as possible that they forget that sometimes their users don't have similarly noble intentions. This is also why social engineering is so successful. When it's your job to be helpful, it's very difficult to be strategically unhelpful when necessary.



If you have a sign-up page, the usual "invalid email or password" message on sign-in form doesn't increase security.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: