In cass it’s not clear from other comments, if the site tells you either one’s wrong but not both, you can then brute force and try out a bunch of usernames and passwords to effectively farm for both: those that say “wrong username” means that the password is valid, while those that say “wrong password” means you got the username that’s in the system.
Once you’ve collected them, the rest is just trying out every password for every user.
So… while this seems weird for a person, it is very much intentional.
Edit after several comments: I don’t know why it’s hard for people to look at the OP, take it for what it is, and argue for the sake of the argument, rather than claiming that something’s impossible because of common or correct technical practices.
those that say “wrong username” means that the password is valid
How could it mean that? The only reason you’d ever say “wrong username” is if the account doesn’t exist (otherwise it’s indistinguishable from “wrong password”) and in that case there’s no reason to even look at the password.
In cass it’s not clear from other comments, if the site tells you either one’s wrong but not both, you can then brute force and try out a bunch of usernames and passwords to effectively farm for both: those that say “wrong username” means that the password is valid, while those that say “wrong password” means you got the username that’s in the system.
Once you’ve collected them, the rest is just trying out every password for every user.
So… while this seems weird for a person, it is very much intentional.
Edit after several comments: I don’t know why it’s hard for people to look at the OP, take it for what it is, and argue for the sake of the argument, rather than claiming that something’s impossible because of common or correct technical practices.
How could it mean that? The only reason you’d ever say “wrong username” is if the account doesn’t exist (otherwise it’s indistinguishable from “wrong password”) and in that case there’s no reason to even look at the password.
There’s no way of knowing if a password is valid without the matching username. That doesn’t make any sense.
You underestimate my capacity to store passwords in plaintext and iterate over all of them for no good reason
Server should also answer: 5 characters correct, 2 on correct positions
Passwordle!
I thought for a minute that that would be a fun password manager easter egg, but all my passwords are randomly generated so it would be super hard.
Yeah a wrong username means both are wrong. That’s not how it works, that’s not how any of this works.