When we submit wrong credentials, we receive a message that states that either the username is present on the system or the provided password is wrong. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username/password attack.

Technical Tips:-

 Application should answer in the same manner for every failed attempt of authentication.

For Example:

 Credentials submitted are not valid..

 Or

 UserName or Password mismatched..

 EXTRA – TIPS:-

 We can force to create user credentials in the following composition or a variance of such:

• at least: 1 uppercase character (A-Z)
• at least: 1 lowercase character (a-z)
• at least: 1 digit (0-9)
• at least one special character (!"£$%&...)
• a defined minimum length (e.g. 8 chars)
• a defined maximum length (as with all external input)
• no contiguous characters (e.g. 123abcd)
• not more than 2 identical characters in a row (1111)