But telling the user that their username OR password is incorrect is good practice though right? If you were trying to break in to somebody's account, it would be better for the person breaking in to not know whether or not that account exists, is a typo etc.
Is it really "good practice"? It seems like cargo-cult security to me. Usernames are usually public anyway; refusing to reveal the existence of a user name as part of the login process but revealing it elsewhere in your application is pointless.
Its an interpretation of the guidance that comes from the NIST 800 series of publications about information security.
It is good guidance, but it's guidance developed with a specific enterprise viewpoint that may not make sense based on the type of service, type of information protected and other controls. For example, multi-factor authentication may be deemed sufficient to control a risk.
As a general principle the concept of "least privilege" is a key component of how security people think. In this case, what is the minimum amount of information that I can provide to the user and still be useful?
Take it to the extreme and think about banking. You wouldn't want to have a system where you confirm and deny the existence of accounts for somebody who's rotating through a brute force. SSH logins for instance do this.
But if usernames are released publicly in forums, google crawled pages etc, then an attacker already knows the existence of a subset of the accounts at least.
For example, somebody attacking HN can crawl pages such as this one and determine that 'skeletonjelly' is a valid HN user.
Sure, but I guess there's no one single security model that fits all situations. I guess that's what I meant by "best practice". Obviously internet banking usernames wouldn't be listed somewhere public
It's addressed in the article. It's a valid concern, but they explain their decision - their "forgotten username" screen is a pretty simple way to check whether a username exists or not, so it's almost a moot point as far as security is concerned.
