"Invalid username or password": This design is really bad.

.

If you get a wrong username (usually a mailbox) or a password when you log in, most systems will pop up like this: Invalid Username or Password (invalid username or password). The system will not tell you which one was wrong because they were deliberately designed to do so, like the following examples:

The reason for this, is because of security, if someone malicious attempt to crack, try to tell them the wrong password is incorrect means that the mailbox is right (account exists), virtually excluding them an option.

Unfortunately, this design obviously underestimates people's IQ.

99.9% of the Web site only allows a single mailbox to register an account, so if you really want to know that an account is not there, as long as try to use the same mailbox to register again on it, if the registration failed, the user name is right.

In other words, the phrase "Invalid username or password" is not designed to achieve the desired security defensive purpose. This design not only has no security value, but more importantly, it makes the user experience of ordinary user landing very bad.

User Login error user name or password caused system error, when the system does not return to the user an accurate feedback, neither tell you is the user name error, or password error, for users is completely useless to correct input errors, is a very bad experience.

"Invalid username or password" This design cannot be said to be a trade-off between security and user experience because it does not have the benefit of security itself.

The tradeoff between security and user experience really should be this: you can keep the "invalid username or password" in the login system, but when the user tries to register with the mailbox, the system should send a message to the mailbox that can complete the remaining registration process directly. This way, other people do not know if the mailbox is registered or not, except for those who actually own the mailbox.

More and more websites are now using other design methods to secure access: such as dual authentication using dynamic barcode technology, and a combination of third-party password management software such as LastPass or 1Password; combined with fingerprint identification technology for iphone Touch ID Or even the password-free login system.

But now too many websites still keep "Invalid username or password" This crappy design.

This is actually a very small detail, but the design logic behind it is very problematic. This reflects the Web site system design should be multi-faceted, such as the prevention of error landing system, if there is no registration system with the form of a fake, in vain to pull down the user experience just.

Kevin Burke, a former Twilio API engineer, raised the issue in an article, which I think is still very enlightening, and welcome interested students to email and discuss with me: suxiaoqiang#36kr.com.