开发者

Should I give separate messages for an incorrect password and an incorrect username? Or keep it the same for security?

I think having separate m开发者_运维技巧essages may allow for a less frustrating user experience, as someone who has forgotten their details has less to narrow it down to. However, it's then possible for someone to keep scraping the site to determine a list of usernames that are in use.

Is it worth accepting the small security issue, in order to create a better user experience?


When it comes to security, I would always err on the side of caution. Use a generic message.


No it is not worth it. To be safe, you want to give out as little information as possible.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜