I am currently working on a web portal which allows users to login via standard authentication credentials (username, password).
However, I'm required to return appropriate error messages when the login fails:
- When the email entered is incorrect, return error message saying:
Invalid email
. - When the email entered is correct, but the password doesn't match the error message should be
Invalid password, please try again
.
Now, my question is whether the first error message poses any security risk. This because, when I return an error code in my API response, an attacker can use the response code to enumerate the list of valid email IDs that are registered with my database?
If not, can you direct me to appropriate resources that elaborate on valid error messages to be shown or any protocol to be followed for such login scenarios.