---
title: Use Generic Error Messages in Auth
impact: MEDIUM
impactDescription: prevents account enumeration by hiding which part of the authentication failed
tags: security, authentication, privacy
---

## Use Generic Error Messages in Auth

Avoid indicating whether the email or the password was incorrect. Use generic messages like "Invalid email or password".

**Incorrect (reveals existence):**

```ruby
if @user.nil?
  render json: { error: "User not found" } # Enumeration possible
elsif !@user.authenticate(params[:password])
  render json: { error: "Incorrect password" }
end
```

**Correct (generic message):**

```ruby
if @user&.authenticate(params[:password])
  login(@user)
else
  render json: { error: "Invalid email or password" }, status: :unauthorized
end
```

**Tools:** Manual Review
---