A secure login system is a crucial aspect of any web application. It is the starting point for accessing a system and involves authenticating users to ensure that only authorized individuals have access. The design of a secure login system is essential to ensure that user's personal information and sensitive data are protected from unauthorized access, theft, and misuse. This implies that if you get the login wrong, you should be notified in some shape, way or form. Usually, it will be in the form of a widget or a text box, displaying an error message.

Designing Error Messages

As a developer, receiving error messages that are presented in a clear, concise, and helpful manner creates a great development experience. This is part of the reason why I believe the Rust language has taken off so much, as their error messages do exactly that. What does a good error message look like?

Firstly, error messages should provide useful details without using technical jargon. It should be easily readable, yet still, provide exact information.

Secondly, it shouldn't make users work for it; error messages should provide a next step to help users get where they need to be.

And thirdly, they should be kept neutral and helpful while staying humble, to avoid blaming the user for the error.

Login Error Messages

There is a bit of an issue regarding login error messages. Say you had a username/password login system.

If the user exists in the database and the combination is correct, a user should be logged in. If one of the two, is the username or the password is wrong, the user has to be informed that the entered credentials are incorrect so that the user can enter them again.

If we were to follow the above principles, the error messages would look something like this: The user does not exist. Sign up here for an account. or The password for <username> is wrong. Do you want to recover your password? Click here.

With login error messages, however, the wording can be critical to the overall security of the login system. Providing specific error messages can make it easier for attackers to gain unauthorized access to an account.

For example, if we display a message that says The user does not exist, then an attacker can use that information to determine valid usernames by launching a brute-force attack.

Similarly, if we display a message that says The password for <username> is incorrect or even simply The password is incorrect an attacker can use that information to determine valid usernames and then attempt to guess the password through a brute-force attack.

To address this issue we should use more generic error messages that do not reveal specific information about the error. For example, we might display a message that says Incorrect username or password rather than Invalid username and incorrect password.

Conclusion

In summary, the problem with specific login error messages is that they can provide attackers with information that makes it easier for them to gain unauthorized access to an account. To mitigate this risk, it is recommended to use more generic error messages that do not reveal specific information about the error.