[UX] Properly identify to the user whether they've gotten their username or password incorrect when logging in

[jenlampton]

Problem/Motivation

When users are logging in and fail validation, they become frustrated in thinking they are getting their password incorrect when it's actually their user name. (Most commonly: they have tried to log in with thier e-mail address instead of their username, but see this issue for more on that.

Proposed resolution

Properly validate each field. If the username is incorrect, state that. Likewise, If the password is incorrect, state that.

Here are some validation functions that need to be checked
user_login_name_validate
user_login_authenticate_validate
user_login_final_validate

Related issue on d.o: https://drupal.org/node/2109299

[mikemccaffrey]

Why not allow login via either username or email by default? #277

+1 for changing the error to say that there is no user with that name or email address.

[ericfg]

In general, I've always heard that giving this feedback to a user is a needless security hole. While I can see arguments on both sides, I think the larger issue is that just because a username exists in the system does not mean that the user in question is entering their username correctly (their typo could be someone else's username, which would add confusion and frustration).
the current way drupal (and almost every other CMS) works is fine in my opinion as long as the user is prompted to use the "I need a new password" link and the email that is sent out includes the user's username.

[quicksketch]

Mailchimp has a great writeup on this: http://blog.mailchimp.com/social-login-buttons-arent-worth-it/

The engineering team, ever mindful of security, argued that being generic about username and password errors makes it harder for bad guys to guess usernames by pounding the form with random words or email addresses. But after some further consideration, we decided that it was a false risk, as the username reminder form already tells you if a username exists, and is not a significant security risk for the bajilions of sites that have them.

The end results of Mailchimp offering better error handling and messages resulted in:

From June 12-July 12 we saw 114,239 login failures—that’s a 66% decrease.

This might not be apples-to-apples, but the security concern isn't legitimate (as pointed out by Mailchimp, you can already check usernames and emails by using the password reset) and the benefit is real.

[ericfg]

while I can see the logic of ignoring the security issue, I think the larger issue is the one where you will never know if the username is correct or if the person made a typo that happens to be someone else's username -- leading to a situation where you are telling a user that they got the right username but wrong password when they actually got the wrong username and right password.
In my opinion the only reasonable thing is to say "the username/password combination you entered does not match data in our system, if you are not sure of your username or forgot your password use the 'I lost my password' link"

[quicksketch]

In my opinion the only reasonable thing is to say "the username/password combination you entered does not match data in our system

It's definitely reasonable to inform the user if the given user account doesn't exist at all. That's not in conflict with your suggestion and it would save users a lot of trouble if they just didn't get the username correct in the first place.

The odds that there would be a name similar enough that you would accidentally get another user's name is slim when there are only a few user accounts, which is probably more common than sites that allow end-users to sign-up.

leading to a situation where you are telling a user that they got the right username but wrong password when they actually got the wrong username and right password.

In which case the user would have X number of failures and then assume they forgot their password when really their user name was wrong. Regardless of what the message says, after enough failures they'd try to use the pasword reset form, in which case they're no worse off than with the previous error message.

[ericfg]

In which case the user would have X number of failures and then assume they forgot their password when really their user name was wrong. Regardless of what the message says, after enough failures they'd try to use the pasword reset form, in which case they're no worse off than with the previous error message.

I guess I don't see how the suggested change creates a potential for less frustration when someone is not sure if they have the right username

[quicksketch]

In situations where they accidentally type someone else's username, it doesn't help at all (but doesn't hurt either). In situations where they use a non-existent username, it helps tremendously that they are informed that the username is incorrect, rather than trying different passwords not realizing that the username is the problem.

[ericfg]

I just don't see how setting up a situation where there could be inconsistent information passed back to a user in any way helps, but can see how it could add to confusion (telling a user that the username entered is correct in situations where it is not their username). In my opinion the current methods work in a consistent and clear way and direct users to the right place if necessary. However if no one else jumps in on my side of the discussion, I'll stop pushing back on this change.

[sun]

I ❤️ the reference to MailChimp's past investigations. They always were and still are spot-on.

This "security feature" only exists for security by obscurity. A true black-hat hacker wouldn't need or rely on this info in the first place.

Thanks for getting rid of that nonsense.

[PapePathe]

if the username or email is not found i agree with displaying a relevant error message.
But if the username or email exists an login failed due to bad password i think that message shouldn't be generic.

[quicksketch]

This has been fixed in backdrop/backdrop#940. Thanks @docwilmot! This will be in 1.2.0.