If you're only giving the message when the username *doesn't exist*, wouldn't th... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		higherpurpose on Dec 1, 2014 \| parent \| context \| favorite \| on: “Invalid username or password” is a useless securi... If you're only giving the message when the username doesn't exist, wouldn't that mean the attacker would know when the username does exist?

wtetzner on Dec 1, 2014 [–]

The message is always sent through email though, so the attacker wouldn't see it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact