What is it common to only say "username or password is incorrect" in case of login errors?

Question

When logging in to a site with wrong user/password credentials, the displayed error is most generally a generic "username or password is incorrect". Looking into some PHP code that handles such login I found a MYSQL request constrained on both the user id and the password hash, making it indeed impossible to determine which of the strings was wrong if the request returns nothing.

Is there some security principle that explains why sites don't rather search for the username, and then match the password, and also why they don't make error messages more specific ("Username not known", "Incorrect password")?

Answer 1

Because you would be giving the attacker information.

If you say "The username is incorrect" or "The password is incorrect" then the attacker knows that one is correct. So, for example, once they guess a username, they can now focus on guessing the password. Rather than 2 unknowns, you have reduced it to just 1 unknown.

Also, for a site where the username is your email, you can determine if people have an account there. If I go to a site and insert your email address and it says "The username is incorrect", then you don't have an account. If it says "The password is incorrect" then I know you have an account there. Now imagine the site is some form of pornography site and you can start to see why this could be a bad approach in terms of what you are revealing to an attacker.

Answer 2

Stating that the username is valid enables user enumeration, allowing an attacker to make a list of valid user accounts. For web services where the usernames are email addresses or can be associated with email addresses this could lead to a spear phishing campaign where targets are sent malicious links to a site they really do have an account for. The usernames could also be used for other services like email, file sharing, or shell access, providing even more vectors for exploitation. Or if the user names are linked to real names, the attacker could use such information in a social engineering attack.

Obviously forcing an attacker to guess usernames as well as passwords is preferable.