try all passowrds. Fail
Maybe I don’t have an account…
create new account. email already in use. Fail.
Okay, guess I’ll reset the password through email.
password can’t be one already used. Fail
WHAT?!
I have had that experience, then I realised I used oauth on that site. CTRL+refreshed the page and it did the auto login. No idea how I got a log in prompt that one time; probably clicked login before the page finished loading
The site had disabled password login for users who had changed to oauth
Being able to determine if a username is valid without a valid password is a security flaw
Even something as simple as taking longer to validate the password when the username is a valid one can also lead to user enumeration
I was having a chat about this with a UX guy. His argument for using a similar flow was that the username/email will have to be validated at the point of registration anyway so you might as well make it easier for the user when the email is wrong. I couldn’t really refute this logic.
If you throttle both login and registration, then surely the risk is minimised while keeping the user happy?
You see the registration problem in so many places. If the username is an email, the proper way to validate it without revealing if an account exists is to accept any email address and if it already exists say that in the registration email you would send anyway. With the appropriate throttling if needed.
Compared to login or password reset, you rarely see the email validate before register flow, especially for mobile apps etc. That makes it pretty hard to make the case that this needs to be actioned from a security perspective when even the big companies are not following it either.
i think these days the best practice for mobile apps re retention (other than sso or passkey) is to just ask for an email, then from the validate link continue with register
reason being that more steps to register means more ways people are likely to drop out of the flow, and this is basically about as short as it can be
when the user has validated their email, then they’re more invested so they are more likely to complete
that also fits nicely with what we’re talking about with good security
Just to clarify, would you mean to have the email/validate stage as part of the flow to access the app, or let them continue with just the email with a limited functionality?
either… some apps have just started to do single factor login with just email, profile options can be optional, if there are required fields or terms of service to agree to then that can come after email validation
I keep hearing that, yet the websites will gladly tell you that the username is taken when trying to register
There are also a lot of websites where you first just enter a username and only when that is valid they ask for a password
Many of those will progress to password even if the user doesn’t exist
Cisco VDI took their security to another level. Wrong password? system down? account locked? Always “Please try again later or contact support”.
whew
thankfully they redacted the phone nunber
It’s hilarious how all OP did with this post is show everyone how dumb they are.
Seriously, how do you NOT understand the security risk of that?I remember there was a joke about this back in the day were someone put a joke error message saying: “that password belongs to ninja123, please enter your password”
It’d be funny to have a social website that does that just to see what happens.
It’s very tempting to use that (maybe with several random usernames to select from) as the insufficiently strong password error message
It’s probably just a little too user hostile though
In cass it’s not clear from other comments, if the site tells you either one’s wrong but not both, you can then brute force and try out a bunch of usernames and passwords to effectively farm for both: those that say “wrong username” means that the password is valid, while those that say “wrong password” means you got the username that’s in the system.
Once you’ve collected them, the rest is just trying out every password for every user.
So… while this seems weird for a person, it is very much intentional.
Edit after several comments: Bruh, I don’t know why it’s hard for people to look at the OP, take it for what it is, and argue for the sake of the argument, rather than claiming that something’s impossible because of common or correct technical practices.
There’s no way of knowing if a password is valid without the matching username. That doesn’t make any sense.
You underestimate my capacity to store passwords in plaintext and iterate over all of them for no good reason
Server should also answer: 5 characters correct, 2 on correct positions
It’s called security.
“Wrong username. Correct password.”
“Uh… who’s password?”
“who’s” is “who is”[1] or “who has”[2], and it can be wrestled into a possessive if you make “who” all or part of a name[3], but it’s the wrong sort of possessive for this context. If you really want the possessive form, it ought to be phrased “which person’s”, which is mostly what “whose” means.
(An actual linguist would speak more about the genitive and how it works in English, but I’m not as capable.)
[1]: e.g. “Who’s there?” [2]: e.g. “Who’s let the cat out again?” [3]: e.g. “This is you-know-who’s box of tricks.”
(linguistics) The practice of prescribing idealistic norms, as opposed to describing realistic forms, of linguistic usage.
E.g.
- Most linguists in this age believe that prescriptivism is outmoded and should no longer be used
- Most linguists in this age believe that descriptivism is a more accurate model of language than prescriptivism
- Most linguists in this age believe that “correcting” language unnecessarily is actively harmful, as it stifles the evolution of a living growing thing, which prescriptivism fails to accurately model
- Most linguists in this age agree the more important factor is CONTEXT, that you should use the correct language style for the context, whereas prescriptivism falls flat as it ignores context. Contextual Language is the idea that you use a different style of language talking to your boss then you do to your friend, then you do to your best friend, than you do to a stranger
I envy these linguists’ ability to either not be irked by grammar errors at all or to be able to deal with their irritation when errors arise.
I also envy their ability to understand what was meant, because sometimes there are enough errors to make meaning completely impossible to discern
There’s this thing in linguistics, casual language requires backchanneling - to respond back with either short utterances that show you understand, or to show confusion and then ask for clarity
The reason formal language is formalised, as in the shit used in essays, is that there is no easy way to say “what did you mean?” - the feedback loop is far too slow for that process and by the point the author(s) get to respond they likely forget what they meant as well
This makes so much sense, my most painful experience in understanding department is from forums where feedback is at best hours long, and infinitely long at worst if the person never ever replies
Well, that was an entirely unnecessary and lengthy correction to a mistake that was A) a typo I didn’t notice from using swipe on my phone keyboard, not a misunderstanding on grammar, and B) not an error that rendered my comment confusing or indecipherable requiring your clarification. But thank you for your (air quotes) help. I really hope that you’re a bot, not a person this annoying or one who writes that way.
When one provides correction for someone is much better to do that than to reply “*whose”
You don’t need to read it if you don’t want to
