Yahoo! paranoids note…this is kind of silly!


In security world it is regarded as a good practice to disclose as less information as possible to the end user as is just enough to get the work done.

A typical example is the case when the user provides invalid logon credentials. Applications ideally should let the user know that the credentials provided are not  correct w/o getting into the details of which one (User name or the password) actually is not as required. The message should be such that a malicious user should not be able to deduce which of the two are correct  or incorrect– as it simply reduces the attacker’s work to half; he needs to figure out only one component as the application itself somehow tells me which component is correct.

Here is what Yahoo! does when I provide an invalid user id.  What I did here is a unintentional typo in the user name. I as an end user now know for sure that the id I am trying to play with is incorrect.


Below is the message that is shown when I type the correct user name but incorrect password:


I am sure now that the id is correct and the only thing I need to figure out is the password (and go out doing some Social engineering stuff??)

The ones with a security hat on can deduce permutations to figure out stuff.

While I understand that this is NOT something that affects anyone drastically, but when it comes to setting examples of proper security measures for the end users, it advisable to be thorough, at least with such vanilla stuff. As they say SECURITY IS AS STRONG AS THE WEAKEST LINK.