Auth0 Home Blog Docs

New user login with unrecognised email

login

#1

I’m sure this has been asked before but…

When a new user tries to login with an email address that is not recognised, the default message is “Wrong email or password”. What I would actually want to happen is redirect the user to the Sign Up page and possibly improve the (error) message.

At the very least, if the redirect is not possible, can I change the error message to something more meaningful, such as “That email address is not recognised - please click on SIGN UP and register” - is this bad practice?

Any other solutions would be gratefully received!

Many thanks.


#2

As a security measure, it is good practice to avoid using any messages that may indicate the existence/non-existence of a user within your application.

For example, sometimes, when we submit
wrong credentials, we receive a
message that states that either the
username is present on the system or
the provided password is wrong. The
information obtained can be used by an
attacker to gain a list of users on
system. This information can be used
to attack the web application, for
example, through a brute force or
default username/password attack.

https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)

Due to this, we do not recommend using error messages such as That email address is not recognised. If you would like to use a customized error message, without exposing information such as that outlined above, you can add them to Lock’s languageDictionary:
https://auth0.com/docs/libraries/lock/v10/customizing-error-messages


#3