this post was submitted on 10 Apr 2026
157 points (91.1% liked)
Programmer Humor
31388 readers
726 users here now
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I keep hearing that, yet the websites will gladly tell you that the username is taken when trying to register
I'd assume the spam protection for signing up is a lot tighter than the one for logging in
There are also a lot of websites where you first just enter a username and only when that is valid they ask for a password
Many of those will progress to password even if the user doesn't exist
And this fucks with password managers as they usually expect both fields on the same page.
Which ones? Both Keeper and KeepassXC will work just fine with it and the latter is FOSS.
That's easy to do. You just check that the username exists. If someone enters a wrong username/password pair, you can still check that the username exists, but how do you know that the user intended to log in with that username? You would also have to check every other username to see if the password matches, and that can't be done with a simple search because you need to compute a different hash for each user you check. Then if the username exists and the password also happens to match someone else's password, then what do you report? Should you even report it? Because doing so reveals that someone had that specific password, and if the list of usernames is publicly available (which they often are, or could become public through a leak of some sort), then you can brute force over a small set of usernames to match them up.