Is there a security reason not to reveal the existence of a user ID?

Posted by Chris on Stack Overflow See other posts from Stack Overflow or by Chris
Published on 2010-05-21T01:14:20Z Indexed on 2010/05/21 1:20 UTC
Read the original article Hit count: 248

Filed under:
|
|

I've noticed that on some sites, when you request a password reminder or sign in, they'll tell you if the user doesn't exist (I think Meetup does this). Other sites will simply say "the user/password combination is invalid" (Google, I believe, does this).

Is there a security reason for not revealing the existence of a user id?

© Stack Overflow or respective owner

Related posts about security

Related posts about General