0

Most of the login pages like Google, Outlook and Yahoo! confirm the username first and then ask for a password instead of confirming the username and password combination altogether. Isn't it less safe to go with the former practice as the intruder can guess the username first and then guess the password? whereas in the later case the intruder has to go with guessing both the options?

Also is there a website where I can find the industrial standards for the login flow?

CubeRootX
  • 1
  • 1
  • 1
    Possible duplicate of [Is it unsafe to show message that username/account does not exist at login?](https://security.stackexchange.com/questions/158075/is-it-unsafe-to-show-message-that-username-account-does-not-exist-at-login), [Generic error message for wrong password or username - is this really helpful?](https://security.stackexchange.com/questions/62661/generic-error-message-for-wrong-password-or-username-is-this-really-helpful). – Steffen Ullrich Apr 14 '19 at 09:38
  • Usernames are checked first sometimes in order to determine what authentication mechanism should be used. And unfortunately, "where can I find X?" is off-topic here. – schroeder Apr 14 '19 at 09:49

0 Answers0