When creating a standard username/password login page, care
should be taken to ensure that malicious users are not given clues about the
nature of the login system. The following error messages should be avoided
when displaying a failed login attempt.
"The password for this user is
incorrect" - This confirms that the malicious user has a valid
username.
"The password should be 6 characters
long" - The malicious user now knows the length of a valid
password.
"The username could not be
found" - The malicious user can simply keep trying until they enter
a valid username.
Displaying a more generic error message along the lines of
"The username or password you entered is incorrect" offers fewer
clues about the nature of the login system in use. This makes it just a little
bit more difficult for someone to login using someone else's account
credentials.