PHP MySQL validation problem in MySQL Help Posted September 25, 2017 The message should always be the same whether their email doesn't exist or if the password did not match. Otherwise, you will "leak" information (e.g. a malicious user could determine valid account emails). The ugly truth is that's it's practically impossible not to leak this information. Even if you show the same message, anybody can easily tell the difference between the two execution paths by comparing the response times. Since modern password hash algorithms are expensive by design, there will be noticable difference between an invalid e-mail address (which is instantly recognized) and an invalid password (which requires the server to compute the hash). You can make such attacks harder by designing the system appropriately, but this requires a lot of work, experience and complexity. A much better solution is to not use the e-mail address as a user identifier at all. Make the user choose a public name which doesn't have to be protected. This may be slightly less convenient, but the e-mail address will at least be somewhat protected.