When we submit wrong credentials, we receive a message that states that either the username is present on the system or the provided password is wrong. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username/password attack.


Technical Tips:-

 Application should answer in the same manner for every failed attempt of authentication.

For Example:

 Credentials submitted are not valid..


 UserName or Password mismatched..



 We can force to create user credentials in the following composition or a variance of such:


  • at least: 1 uppercase character (A-Z)
  • at least: 1 lowercase character (a-z)
  • at least: 1 digit (0-9)
  • at least one special character (!"£$%&...)
  • a defined minimum length (e.g. 8 chars)
  • a defined maximum length (as with all external input)
  • no contiguous characters (e.g. 123abcd)
  • not more than 2 identical characters in a row (1111)