0

It used to be the case that authentication systems wouldn't confirm whether a user account existed and, instead, would simply report that the user logon name or password was incorrect.

Nowadays, a lot of authentication systems (particularly those for Google Accounts, Microsoft Accounts, etc) will (1) confirm that the user account exists by use of the submitted user logon name then (2) prompt for the password.

Why did this change?

Anders
  • 64,406
  • 24
  • 178
  • 215
mythofechelon
  • 217
  • 1
  • 11
  • 2
    user accounts for those systems are email addresses and therefore public - once you get an email from this account, you know the 'username' – schroeder Jan 31 '17 at 14:41

1 Answers1

1

There is a trade off here between usability and security. Keeping the username secret is more secure, but makes it harder for the user to use the application. Confirming whether a username exists is a marginal risk: the attacker can guess a limited number of values. If the username is an email address, the protection is reduced even more since email addresses are generally public. These providers think that the little reduction in security is worth the extra usability this offers for the user.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102