Pages

Saturday, 19 September 2015

Should you really follow BEST PRACTICES?


Once upon a time, not long ago, a developer created his own personal website. To keep the unauthorized users away, he added the login page. Being an internet savvy himself, he always knew how hackers plan their attack. So, instead of displaying direct error message for login fields, he showed a common message as “Username/Password is incorrect. Try again”. This was a smart move from him as now hacker couldn’t know which input was wrong. He showed this message to one of his developer friends and he followed the same. Similarly, it became BEST PRACTICE to display the common error message on the Login page.
The only best thing about BEST PRACTICES is that they are best in some contexts and worst thing is that people have tendency to follow the best. In fact, sometimes they are followed by everyone and hence become common. There can’t be hundred best students in class of hundred. Only one could be best in each subject among the hundred; others could be good, very good, average and poor.
The story said above is not a story, it is reality. The idea to change the error message worked for first developer but it didn’t work for his friend. Why? Let’s see.
  • The unauthorized user entered the invalid username and password, system displays an error message “The email address or password you entered isn’t correct. Please try again”. Quite good. The user doesn’t know which is incorrect – username, password or both. (This is similar to what first developer did and other followed.)
Error message on "Sign In" Page
  • Then user opened “Forgotten your password?” page and entered the same email id. The system displayed the error message that entered email is not registered with website. Boom. The security provided by the previous error message is violated by this message. Now this unauthorized user knows that this is not the correct user name so he can put his energy to find the correct user name. He has got a direction to move. (In our story, first developer didn’t provide the Forgot Password page but others did. So his solution worked for him but not for others.)
Error message on "Forgot your Password?" Page
The problem is people are so obsessed of following best practices that context is side-lined in most of the cases. See the below example:
  • Here, if an unauthorized user enters an invalid Email address – system clearly tells him that account doesn’t exist.
Error message when wrong email is entered.
  • In other case, when user enters correct email and incorrect password, system displays “Email/Password combination is wrong” (BEST PRACTICE). From previous message, it is obvious that only password can be wrong in this case but as I already said that people are obsessed of following the BEST PRACTICES that they miss the tweaks.
Error message when wrong password is entered.
There are two important learning from above examples:
  • The BEST PRACTICES are best in their contexts and might not work for you if context differs. Do what work for you and that will be your “BEST PRACTICE”. Moreover, it doesn’t make sense to me that if everyone is following the same then how it can be called as “BEST PRACTICE”. It should be called as “GENERAL PRACTICE”.
  • Don’t forget to verify linking between error messages in your application. We have seen in above scenarios that one error message is violating the rule of other. (The linking between Error messages might be new to many and should be practiced.)
If I were testing the same Forgot Password page for the website displayed above, I would ask developer to place a message like “An email will be sent shortly to registered email if it’s valid”.
Now, don’t make this as BEST PRACTICE.

4 comments:

felishiagreen said...

I Want to use this medium in appreciating cyber golden hacker , after being ripped off my money,he helped me find my cheating lover he helped me hack her WHATSAPP, GMAIL and kik and i got to know that he was cheating on me, in less than 24 hours he helped me out with everything, cybergoldenhacker is trust worthy and affordable contact him on: cybergoldenhacker at gmail dot com

ramshad ramsha said...

I am very ecstatic when i am reading this blog post because it is written in good manner and the writing topic for the blog is excellent. Thanks for sharing valuable information.
Best SEO Company in Bangalore | SEO Services in Bangalore | SEO Agency in Bangalore | SEO Service Company in Bangalore

tech zone said...

This sounds like a great subject, but my concern would be that it would be chock full of unfounded descriptions based on the NT, rather than the other way around, creating more of the already circulating myths about Jews and NT times. all123movies.info Has anyone evaluated this book to see if it explores primary sources?

aniket said...

beautiful love story in hindi
This is a required text at Gordon-Conwell. Any thoughts about it being used at the seminary level?