On web startups, technology, music and growth
Ok, so you own a web site with users. Here’s what you typically do with your login form, where you ask e-mail (or perhaps nickname) and password.
You do some kind of query in your database if there is a user with that email + password combo, and if you found something, you log that user in. So something like:
SELECT * FROM users WHERE email=:email AND passwordhash=:passwordhash
So far so good, and bonus points for you if indeed you do not store passwords in plaintext and even more if you use a salt with that hash. Most companies get at least the no-plaintext part right these days I think. Good.
BUT, what if that query returns nothing? Here is what 99% of web sites do, including big ones like Twitter:
What GOOD sites do when no user/pass combination is found in the database, is a second query, to determine whether it was just the password that was incorrect, or perhaps the email does not exist in the database. As so often, Facebook gets this right because they are pretty good with the whole UI thingie:
This does not impose that much of an extra load on your server because the extra work is only done when somebody gives a wrong email/pass combo, so this would not double your queries on your user database or anything.
That’s all, thank you for listening. I’d love it if you share this post if you have been annoyed by this as well, or comment on it if you think I’m completely wrong in having this as one of my (many) pet peeves.
P.S.: I know there are arguments that can be made against revealing that a certain email address corresponds to a user. For example, perhaps it potentially gives people with malicious intents a (cumbersome) way to tell that an email address exists or that a given person is on a site.
And perhaps Facebook can get away with this because everybody and
there their mother is on it, but perhaps you feel your Defense NASA Banking site cannot. Still, I don’t think most sites thought this far, and just go with the lazy route because everybody else does it so they get away with it. And at the very least, you have measures to prevent automated non-humans from submitting your login form I’m sure.
UPDATE: many people pointed out to me that the afterthought I so casually put inside a post scriptum is quite an important one. Maybe, to not give any information to hackers, here is an approach that is a bit more secure. Store the user’s email address in a cookie (even if you don’t have a ‘remember me’ cookie login, in which case all of this is obsolete of course), and if the email address he tried to log in with matches that cookie, then show him that the address exists but the password is wrong.