Using form field validation errors securely

Hey there,
Question for the community out there… For form field validation errors on on a payment screen where a user is adding credit card or banking information - Whats the consensus do you let the user know which individual fields are incorrect or just an overall error message not pointing exactly where a piece of information is incorrect?

My view on it is you would want to let a potential hack to know what piece of information they need to focus on.


Best practice is to highlight each field that has an error. Don’t make the user try to figure out which one.

I also think it’s best to highlight each incorrect field. Generally, It’s better to give the users as clear feedback as possible. Otherwise, they may end up messing up their correct information or even redoing all fields to make sure everything is correct, which can result in the whole experience becoming more time consuming and frustrating.

I understand common practice of field validations. Think Hacker-Wise… The question here is more around giving hints to potential hackers to guess the proper account information. Say they have the credit card number and the UI is telling them “Yep everything is cool here except the security code, or zip code - Just keep guessing the security code”

Hmm… that’s an interesting question. I think my main question is, which scenario happens more often? I might be wrong, but, I am not sure if making the form’s validation feedback more vague to confuse potential hackers would be the best choice. Especially since as I know, one of the main proposes of using security codes in combination to expiration dates and credit card numbers was to make it extremely hard for hackers to access someone’s account.
That being said, I am no expert in the hacking field, and I don’t know if counting on the probability of an incident is enough reason to ignore the possible risks. So, I too would love to hear the opinion of experts in the field on this matter.

I don’t know why in this case you couldn’t just use a generic error notification similar to:

“Oops! Something went wrong with the payment information you entered. Please check all fields and resubmit”

Sometimes as UX professionals I think we get hung on what “best practice” is and not think through different scenarios for something like form field validations. Not saying I am right in the instance (hence why I posed the question here), just my opinion.

I’m with @aQuan on this. I reckon if you researched how most brute force hacking goes down, this won’t help or hinder. It will definitely hinder your users though.

1 Like