In cass it's not clear from other comments, if the site tells you either one's wrong but not both, you can then brute force and try out a bunch of usernames and passwords to effectively farm for both: those that say "wrong username" means that the password is valid, while those that say "wrong password" means you got the username that's in the system.

Once you've collected them, the rest is just trying out every password for every user.

So... while this seems weird for a person, it is very much intentional.

Edit after several comments: I don't know why it's hard for people to look at the OP, take it for what it is, and argue for the sake of the argument, rather than claiming that something's impossible because of common or correct technical practices.

[–] scutiger@lemmy.world 9 points 1 week ago (3 children)

There's no way of knowing if a password is valid without the matching username. That doesn't make any sense.

[–] Hack3900@lemy.lol 4 points 1 week ago (2 children)

You underestimate my capacity to store passwords in plaintext and iterate over all of them for no good reason

[–] sukhmel@programming.dev 5 points 1 week ago (1 children)

Server should also answer: 5 characters correct, 2 on correct positions

[–] TurtleTourParty@midwest.social 1 points 1 week ago

Passwordle!

I thought for a minute that that would be a fun password manager easter egg, but all my passwords are randomly generated so it would be super hard.

load more comments (2 replies)