Any decent error message is a kind of oracle

Summary

Classic UX advice is to give useful, informational, actionable error messages. For example, the Nielsen Norman Group recommends:Concisely and precisely describe the issue. Generic messages such as An error occurred lack context. Provide descriptions of the exact problems to help users understand what happened.[...]Offer constructive advice. Merely stating the problem is also not enough; offer some potential remedies.Tim Neusesser and Evan Sunwall (Nielsen Norman Group): Error-Message GuidelinesAre people just ignoring tried-and-true UX wisdom, or is something else going on? I argue it’s something else.Any decent error message is a kind of oracle. Bad error messages are usually not incompetence, but the result of specific tradeoffs in the design space. What’s ahead:Everyone’s least favorite login errorsAny decent error message is a kind of oracleHow I learned to stop worrying and love the oracleMeaningmaking for our error messages Everyone’s least favorite login errorsAs a user, the worst kind of error message is “Username or password is incorrect,” followed by “If the account exists, we sent you a password reset email.” This goes against classic UX guidance about good error messages. So why aren’t these errors better? “Password is incorrect, try again.” or, “No account exists for this email.” Is that so hard?Actually, these kinds of error messages are designed to avoid an account enumeration attack - a way for an attacker to understand whether a particular email has an account on your site. Is that so sensitive? If you run a mental-health app or similar, it could be! And account enumeration often precedes credential stuffing, where an attacker uses previously-breached passwords to get into other accounts where the person re-used the password. (Side note: that link above goes to my employer’s site, but my writing here is always my own.)Many “Oopsie woopsie”-style errors are a fallback message that appears in unexpected errors - since the developer doesn’t expect it t...