You know, there's one thing about sites that require you to login that seems to be quite common.

See, normally, if you enter your password wrongly, they'll give you a message like "Username and/or password incorrect." The idea is that they don't want to give hackers any sort of clue as to whether the username actually exists or not. Sounds good, right? Sounds like they're being responsible; after all, guessing at random usernames *and* random passwords is about as productive as trying to use a chocolate teapot.

But all too often, these same sites will openly tell you if they don't have any records for a username when you use their "I forgot my password" function, which kind of defeats the point; now hackers can know with certainty what usernames exist on a site, and can get to work on the passwords themselves.

Of course, most sites with this sort of function actually send email to the registered email address on that account when you use the function, so they *are* alerted to the problem. Other sites, though, use an elaborate "security question" routine - basically, when you register you give a question to which only you (or maybe a few other people) should know the answer to - like your mother's maiden name, for example.

The trouble is, that approach means that if you get a security question, you can be 99% sure that the account exists - and what's more, in 99% of cases the owner won't have been alerted. On the other hand, if you get an error, you can be 100% sure it doesn't exist.

Am I the only one who sees something a little wrong with this?

(Okay, I'll be the first to admit that, yes, I've made sites myself that fall into this trap. I'll probably be fixing them up later so that it isn't quite so obvious.)

- Ciaran.