this post was submitted on 10 Apr 2026
148 points (91.6% liked)

Programmer Humor

30895 readers
1105 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
Feyter@programming.dev
anzo@programming.dev
BurningTurtle@programming.dev
pylapp@programming.dev
148
The mist of the www (feddit.org)
submitted 2 days ago by NichEherVielleicht@feddit.org to c/programmer_humor@programming.dev
79 comments fedilink hide all child comments
 
top 50 comments
sorted by: hot top controversial new old
[–] M137@lemmy.world 20 points 1 day ago (1 children)

It's hilarious how all OP did with this post is show everyone how dumb they are.
Seriously, how do you NOT understand the security risk of that?

[–] lobut@lemmy.ca 7 points 19 hours ago

I remember there was a joke about this back in the day were someone put a joke error message saying: "that password belongs to ninja123, please enter your password"

[–] rizzothesmall@sh.itjust.works 58 points 1 day ago (2 children)

Being able to determine if a username is valid without a valid password is a security flaw

[–] cactusupyourbutt@lemmy.world 5 points 1 day ago (3 children)

I keep hearing that, yet the websites will gladly tell you that the username is taken when trying to register

[–] meekah@discuss.tchncs.de 2 points 1 day ago

I'd assume the spam protection for signing up is a lot tighter than the one for logging in

[–] marius@feddit.org 2 points 1 day ago

There are also a lot of websites where you first just enter a username and only when that is valid they ask for a password

load more comments (1 replies)
[–] theo@lemmy.world 6 points 1 day ago (1 children)

I was having a chat about this with a UX guy. His argument for using a similar flow was that the username/email will have to be validated at the point of registration anyway so you might as well make it easier for the user when the email is wrong. I couldn't really refute this logic.

If you throttle both login and registration, then surely the risk is minimised while keeping the user happy?

[–] LeapSecond@lemmy.zip 13 points 1 day ago

You see the registration problem in so many places. If the username is an email, the proper way to validate it without revealing if an account exists is to accept any email address and if it already exists say that in the registration email you would send anyway. With the appropriate throttling if needed.

[–] eager_eagle@lemmy.world 41 points 2 days ago (1 children)

[–] AlbertUnruh@feddit.org 27 points 1 day ago (2 children)

[–] eager_eagle@lemmy.world 13 points 1 day ago* (last edited 1 day ago)

whew

thankfully they redacted the phone nunber

[–] purplemonkeymad@programming.dev 1 points 1 day ago

Stuff like this is why you need to understand the reasons why, and not just the actions to do something.

[–] RogueBanana@piefed.zip 5 points 1 day ago

Cisco VDI took their security to another level. Wrong password? system down? account locked? Always "Please try again later or contact support".

[–] the_riviera_kid@lemmy.world 19 points 2 days ago (1 children)

It's called security.

[–] kryptonianCodeMonkey@lemmy.world 17 points 2 days ago (13 children)

"Wrong username. Correct password."

"Uh.... who's password?"

[–] bleistift2@sopuli.xyz 12 points 2 days ago* (last edited 2 days ago) (1 children)

I don’t know who is password, or why is password, or when is password, but I do know where is password, and it’s out there!

[–] Buddahriffic@lemmy.world 4 points 1 day ago

But... how is password? Secure enough?

[–] Buddahriffic@lemmy.world 5 points 1 day ago

Error: password already in use by CobainKiller94

load more comments (11 replies)
[–] waigl@lemmy.world 16 points 2 days ago (11 children)

Any further "helpful" information in that error message would be a security issue.

load more comments (11 replies)
[–] roofuskit@lemmy.world 16 points 2 days ago

Just good security, nothing to see here.

[–] mech@feddit.org 12 points 2 days ago* (last edited 2 days ago) (6 children)

Yeah, the error message could be more helpful:

Wrong password. Try again.
Hint: the correct password is gHI6shTI2!

[–] Pika@sh.itjust.works 6 points 1 day ago

Not gonna lie back when websites had password hints that you could do. I used to put something like that where it wouldn't be the full password, but it would be either a part of the password or I would label it as same as computer password or something like that.

God, I was so insecure when I was young.

load more comments (5 replies)
[–] RamenJunkie@midwest.social 6 points 1 day ago

My bigger beef is when I enter the wrong email and it rolls me over to a sign up screen.

Fucker, I have an account, I just don't remeber which of my 20 email addresses it is.

[–] saltesc@lemmy.world 7 points 2 days ago* (last edited 2 days ago) (1 children)

try all passowrds. Fail

Maybe I don't have an account...

create new account. email already in use. Fail.

Okay, guess I'll reset the password through email.

password can't be one already used. Fail

WHAT?!

load more comments (1 replies)
[–] MimicJar@lemmy.world 3 points 1 day ago

Website: Wrong user name or password.

Me: Password.

Website: Correct! Come right in.

[–] zxqwas@lemmy.world 5 points 2 days ago

If they told you the user name is wrong you may as well publish a list of usernames of your site.

load more comments
view more: next ›