When logging ins, there is a different errormessage generated when a password is invalid, or when the user doesn't exists.
This allows unauthenticated users to enumerate valid accounts. This information can be used to start a brute force, fishing, spamming, etc... attack.
When logging ins, there is a different errormessage generated when a password is invalid, or when the user doesn't exists. This allows unauthenticated users to enumerate valid accounts. This information can be used to start a brute force, fishing, spamming, etc... attack.
Please see the OWASP project for more information on how to handle errormessages regarding authenticationfailures. https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Authentication_and_Error_Messages