Comments on: Get your error messages right, people.

By: Sugar

Sugar — Wed, 03 Jan 2007 08:20:52 +0000

@ stelabouras:

Happy new year, you!

I’ll increase the font in comments when I return home tonight.
The whole site will be redesigned in some days, anyway.

By: stelabouras

stelabouras — Wed, 03 Jan 2007 01:10:30 +0000

Happy New Year Sugar!

Maybe Cocomment isn’t the service anyone wants to hack, but I would rather agree with John by saying that it is done for safety reasons
Also the Cocomment programmers maybe used a kind of framework to build their web app so the whole login procedure is handled from it (although I believe they have double checked all the messages).
Anyways there are a lot of web services that return same error messages so what’s the big deal

Tip: I have a hard time reading the comments due to the small font…Can it be increased? Plz?

By: Sugar

Sugar — Tue, 02 Jan 2007 17:15:46 +0000

Sigh… fine. You’ve proved me wrong and this kind of messages is OK, eventually.

But it still poses some usability issues for the real users of this dang login form.

By: Titanas

Titanas — Tue, 02 Jan 2007 16:19:31 +0000

I misunderstood you and i apologize for that!

I don’t think they want to confuse hackers but instead make their lives less easy. The error message doesn’t tell the whole truth.

Check this error message from (mt):

It appears that either your domain, email address, or password is incorrect. Please try logging in again, or consider using the Lost Password Recovery Page. If you still have problems, please contact the customer support department at 877-578-4000.

TIP: Your domain should not include the “http://” prefix nor should it include the “www” prefix.

By: Sugar

Sugar — Tue, 02 Jan 2007 14:35:30 +0000

Please Titanas, don’t distort my sayings.

I didn’t mention that coComment is a nuisance. I just say that, in usability terms and in my humble opinion, their login system has a flaw in error messages.

I really can’t believe that the obvious solution for web application developers is to provide an ambiguous error message to “confuse” potential hackers.

Let’s be realistic here.

By: Titanas

Titanas — Tue, 02 Jan 2007 12:01:11 +0000

@Sugar: coComment is a nuisance for you, Gmail is a nuisance for someone else, phpBB is a nuisance for me etc.

Developers are called to protect their service and what Tsevdos John says is right.

By: Sugar

Sugar — Mon, 01 Jan 2007 21:17:00 +0000

Aren’t there any other safety locks about this? Like, set the account pending when someone tries more than 5 times to login unsuccessfully?

And to be frank, who’s gonna hack into my coComment account, really!

I could understand (maybe) if this was coming from an e-shop, or anything that needs to be more secure than conventional sites. But in this case, it’s just a nuisance.

By: Tsevdos John

Tsevdos John — Sun, 31 Dec 2006 17:00:21 +0000

Well Sugar it has to do with safety procedures. If a login system reveal which of the username or password is wrong (which simply means that the other is right), it is very easy for a hacker to find out more information about the specific account… That’s why all the login systems never generated the two above error messages you suggesting…

By: Titanas

Titanas — Sun, 31 Dec 2006 12:33:26 +0000

It’s one of those stupid things someone forgot to do.. or maybe it’s the implementation of the query that doesn’t make life easy enough for such error messages.

You love me, I love you: let’s make love

By: Sugar

Sugar — Sun, 31 Dec 2006 11:39:29 +0000

Har har har.

Why should I do that, since with just one right error message, they’d put me in the right track and make me understand what’s wrong at a glance?

I love you too!