Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> I think websites say "Bad combination" not because usernames are treated equally with passwords, but because you don't have a choice but say that.

Of course you do.

> If I tell you that your username is incorrect, am I telling you your password isn't? This would be silly

Of course it is, a password is checked against a username, not against the whole database. If the site is telling you the username is incorrect it's telling you just that: the username is incorrect. It wasn't able to go any further and check the password since it has no idea which password it should check for (or even, if you're correctly storing passwords, which salt it should use for the password check). Your criticism doesn't even make sense.



His point is that it's not uncommon to be unsure which piece of data the user got wrong.

Consider that on any decently sized website, you're going to have a lot of cases where someone's trying to log in and they typo their username into someone else's username (e.g. if you tried to log in as "masklin" and that was taken). This looks to your server exactly like a wrong-password, but it's not.

If there's genuinely no user by that name, sure, tell them.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: