Being able to determine if a username is valid without a valid password is a security flaw
this post was submitted on 10 Apr 2026
157 points (91.1% liked)
Programmer Humor
31403 readers
900 users here now
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
founded 2 years ago
MODERATORS
I keep hearing that, yet the websites will gladly tell you that the username is taken when trying to register
I'd assume the spam protection for signing up is a lot tighter than the one for logging in
load more comments
(5 replies)
I was having a chat about this with a UX guy. His argument for using a similar flow was that the username/email will have to be validated at the point of registration anyway so you might as well make it easier for the user when the email is wrong. I couldn't really refute this logic.
If you throttle both login and registration, then surely the risk is minimised while keeping the user happy?
You see the registration problem in so many places. If the username is an email, the proper way to validate it without revealing if an account exists is to accept any email address and if it already exists say that in the registration email you would send anyway. With the appropriate throttling if needed.
load more comments
(4 replies)
It's hilarious how all OP did with this post is show everyone how dumb they are.
Seriously, how do you NOT understand the security risk of that?
I remember there was a joke about this back in the day were someone put a joke error message saying: "that password belongs to ninja123, please enter your password"
load more comments
(2 replies)
It's called security.
"Wrong username. Correct password."
"Uh.... who's password?"
I don’t know who is password, or why is password, or when is password, but I do know where is password, and it’s out there!
But... how is password? Secure enough?
Error: password already in use by CobainKiller94
load more comments
(14 replies)
Just good security, nothing to see here.
Any further "helpful" information in that error message would be a security issue.
I am annoyed by (but respect) APIs that take it a level further and don't even give you a 403 to say you're unauthorised, they just give you a 404 because anything else would acknowledge that the resource you requested actually existed
Wouldn't unauthorized only be meant for AFTER a login is successful?
Like, the user should have to have an active session first. Maybe you're just talking about that case though.
load more comments
(3 replies)
I don't respect them because most instances a 403 is more than adequate for your security. The only time I agree with having a 404 over a 403 would be file-specific pathing, but realistically the entire file directory should be a 403 instead of a 404, And then if the user is authorized to access the resource(but it isn't there), then it gives a 404.
load more comments
(3 replies)
Couldn't you just try and register the username to see if it's valid?
While true most of these websites expose valid usernames in other places
Yeah, the error message could be more helpful:
Wrong password. Try again.
Hint: the correct password isgHI6shTI2!
Not gonna lie back when websites had password hints that you could do. I used to put something like that where it wouldn't be the full password, but it would be either a part of the password or I would label it as same as computer password or something like that.
God, I was so insecure when I was young.
2nd hint: Maybe your have a second account with any of this names: ...
AI slop is great, isn't it?
try all passowrds. Fail
Maybe I don't have an account...
create new account. email already in use. Fail.
Okay, guess I'll reset the password through email.
password can't be one already used. Fail
WHAT?!
I too only type my password correctly when I go to reset it.
load more comments
(1 replies)
My bigger beef is when I enter the wrong email and it rolls me over to a sign up screen.
Fucker, I have an account, I just don't remeber which of my 20 email addresses it is.
Cisco VDI took their security to another level. Wrong password? system down? account locked? Always "Please try again later or contact support".
If they told you the user name is wrong you may as well publish a list of usernames of your site.
"Something went wrong."
motherfucker I will OPEN UP THE NETWORK INSPECT TAB AND FIGURE OUT WHAT WENT WRONG.
Network tab: server returned an html page with the words "Something went wrong."
Classical error code 200
Had manager that wanted us to return error codes on a field of an API response along with an HTTP 200 because "errors bad". It needed a few of us to make him understand how that worked against common design patterns and you still had to handle error codes since you didn't know if the error would be coming from the app, web server, api gateway, local network (no internet), etc.
load more comments
(1 replies)
load more comments
(1 replies)
Website: Wrong user name or password.
Me: Password.
Website: Correct! Come right in.
yeah real question how would the website even know. Whole point is to match the 2 things together. Is hunter2 my password, well that depends who are you, we've got plenty of users that have that hunter2 password
Not exactly. It should check for the username and password separately. First check if the user exists, then check if the salted passwords match.
load more comments
(2 replies)
load more comments
(5 replies)
The absence of details makes the website more secure.
view more: next ›