Usable Security

Usable Security is a new blog about—you guessed it—the intersection of usability and security. This comes up every few weeks since I improved the error messages on the WordPress login (and bbPress) to specify which part of the login was mistaken, the username or the password. Security folks see this as a problem because you’re revealing more information but I see making the error message more generic as premature security optimization. Plenty of systems where login names are public or easily discoverable, such as Yahoo, Gmail, Hotmail, most email systems, and so forth, seem to be doing just fine.

3 thoughts on “Usable Security

  1. I see your point about usability. It’s true that most malicious individuals (I’ve used “crackers” too much in the past few days) would probably have prepared themselves with more advanced methods for gaining entry, and also that many usernames are easily determined. Still, it could deter a few script kiddies.

    Oh, and Usable Security looks like an interesting read. I subscribed.

  2. I certainly agree with you that there need not be any paranoia in denoting which field is incorrect, after all, the username is not the password.

    But of course there is no need to verify a given password if no such username exists, therefore producing an “incorrect username and password” or “no such username” error message.

    I’m not sure if our beloved WordPress works this way right now, I hardly get login errors on my WP installs since my passwords are auto-saved in Firefox. 🙂

SHARE YOUR THOUGHTS