Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

"is still the more correct and useful statement"

No, it is usually incorrect and it is much less helpful than identifying which is incorrect.

"it is entirely likely that the mistyped username is somebody else's valid username"

No, that's highly unlikely.

If the email isn't in the DB, just say so. If the password doesn't match, just say so.



> No, it is usually incorrect...

If either the username does not exist, or the password does not match the existing username, then "incorrect username or password" is correct by logic. It might be incorrect if assuming xor meaning, because both could be wrong -- username and password.

The parent's point also was that the service can not identify which one is wrong. Was it the username if the password did not match but matches any other account?

> No, that's highly unlikely.

Why should it be unlikely to mistype the username? Misspellings happen. Some people check what they entered, some don't. People confuse their usernames when they have many. One username might be someone else's on another service. Etc.

> If the password doesn't match, just say so.

Which is wrong if the error lies with the username, not the password, and the mistyped username happens to exist.


Yes, you're correct that it's logically correct. I was responding more to "more useful" when it is obviously less useful.

It's unlikely that a typo'd email address is in the DB.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: