474

submitted 1 week ago by NichEherVielleicht@feddit.org to c/programmer_humor@programming.dev

94 comments fedilink hide all child comments

(page 2) 44 comments

sorted by: hot top controversial new old

[-] Subscript5676@piefed.ca 3 points 1 week ago* (last edited 1 week ago)

In cass it's not clear from other comments, if the site tells you either one's wrong but not both, you can then brute force and try out a bunch of usernames and passwords to effectively farm for both: those that say "wrong username" means that the password is valid, while those that say "wrong password" means you got the username that's in the system.

Once you've collected them, the rest is just trying out every password for every user.

So... while this seems weird for a person, it is very much intentional.

Edit after several comments: I don't know why it's hard for people to look at the OP, take it for what it is, and argue for the sake of the argument, rather than claiming that something's impossible because of common or correct technical practices.

[-] InputZero@lemmy.world 3 points 1 week ago

Yeah a wrong username means both are wrong. That's not how it works, that's not how any of this works.

[-] Malgas@beehaw.org 3 points 1 week ago

those that say “wrong username” means that the password is valid

How could it mean that? The only reason you'd ever say "wrong username" is if the account doesn't exist (otherwise it's indistinguishable from "wrong password") and in that case there's no reason to even look at the password.

load more comments (4 replies)

[-] TevTra@lemmy.tevtra.com 2 points 1 week ago

Wrong username and password combination. Or just wrong credentials.

load more comments