this post was submitted on 10 Apr 2026
427 points (91.0% liked)

Programmer Humor

30886 readers
1255 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
anzo@programming.dev
Feyter@programming.dev
BurningTurtle@programming.dev
pylapp@programming.dev
427
The mist of the www (feddit.org)
submitted 1 day ago by NichEherVielleicht@feddit.org to c/programmer_humor@programming.dev
82 comments fedilink hide all child comments
 
top 50 comments
sorted by: hot top controversial new old
[–] M137@lemmy.world 27 points 13 hours ago (1 children)

It's hilarious how all OP did with this post is show everyone how dumb they are.
Seriously, how do you NOT understand the security risk of that?

[–] lobut@lemmy.ca 6 points 2 hours ago

I remember there was a joke about this back in the day were someone put a joke error message saying: "that password belongs to ninja123, please enter your password"

[–] RogueBanana@piefed.zip 10 points 19 hours ago

Cisco VDI took their security to another level. Wrong password? system down? account locked? Always "Please try again later or contact support".

[–] rizzothesmall@sh.itjust.works 131 points 1 day ago* (last edited 1 day ago) (2 children)

Being able to determine if a username is valid without a valid password is a security flaw

Even something as simple as taking longer to validate the password when the username is a valid one can also lead to user enumeration

[–] cactusupyourbutt@lemmy.world 9 points 21 hours ago (3 children)

I keep hearing that, yet the websites will gladly tell you that the username is taken when trying to register

[–] meekah@discuss.tchncs.de 2 points 7 hours ago

I'd assume the spam protection for signing up is a lot tighter than the one for logging in

[–] marius@feddit.org 3 points 13 hours ago

There are also a lot of websites where you first just enter a username and only when that is valid they ask for a password

load more comments (1 replies)
[–] theo@lemmy.world 13 points 1 day ago (2 children)

I was having a chat about this with a UX guy. His argument for using a similar flow was that the username/email will have to be validated at the point of registration anyway so you might as well make it easier for the user when the email is wrong. I couldn't really refute this logic.

If you throttle both login and registration, then surely the risk is minimised while keeping the user happy?

[–] LeapSecond@lemmy.zip 18 points 1 day ago (1 children)

You see the registration problem in so many places. If the username is an email, the proper way to validate it without revealing if an account exists is to accept any email address and if it already exists say that in the registration email you would send anyway. With the appropriate throttling if needed.

[–] theo@lemmy.world 1 points 14 hours ago

Compared to login or password reset, you rarely see the email validate before register flow, especially for mobile apps etc. That makes it pretty hard to make the case that this needs to be actioned from a security perspective when even the big companies are not following it either.

load more comments (1 replies)
[–] eager_eagle@lemmy.world 148 points 1 day ago (1 children)

[–] AlbertUnruh@feddit.org 65 points 1 day ago (2 children)

[–] purplemonkeymad@programming.dev 3 points 14 hours ago

Stuff like this is why you need to understand the reasons why, and not just the actions to do something.

[–] eager_eagle@lemmy.world 27 points 1 day ago* (last edited 1 day ago)

whew

thankfully they redacted the phone nunber

[–] the_riviera_kid@lemmy.world 110 points 1 day ago (1 children)

It's called security.

[–] kryptonianCodeMonkey@lemmy.world 55 points 1 day ago (15 children)

"Wrong username. Correct password."

"Uh.... who's password?"

[–] Buddahriffic@lemmy.world 16 points 1 day ago

Error: password already in use by CobainKiller94

[–] bleistift2@sopuli.xyz 23 points 1 day ago* (last edited 1 day ago) (1 children)

I don’t know who is password, or why is password, or when is password, but I do know where is password, and it’s out there!

load more comments (1 replies)
load more comments (13 replies)
[–] roofuskit@lemmy.world 91 points 1 day ago

Just good security, nothing to see here.

[–] waigl@lemmy.world 63 points 1 day ago (3 children)

Any further "helpful" information in that error message would be a security issue.

[–] smeg@feddit.uk 17 points 1 day ago (2 children)

I am annoyed by (but respect) APIs that take it a level further and don't even give you a 403 to say you're unauthorised, they just give you a 404 because anything else would acknowledge that the resource you requested actually existed

[–] Pika@sh.itjust.works 12 points 1 day ago* (last edited 1 day ago) (2 children)

I don't respect them because most instances a 403 is more than adequate for your security. The only time I agree with having a 404 over a 403 would be file-specific pathing, but realistically the entire file directory should be a 403 instead of a 404, And then if the user is authorized to access the resource(but it isn't there), then it gives a 404.

[–] Lifter@discuss.tchncs.de 1 points 9 hours ago (1 children)

But if there is no resource, how can the system know whether they are authorized? 403 it is.

[–] Pika@sh.itjust.works 1 points 13 minutes ago* (last edited 6 minutes ago)

Whether you respond as a 404 or a 403 would be dependent on whether or not the user who is logged in has the authorization to read the previous directory.

A site administrator, for example, would have the authority to read the previous directory, which means that the site administrator would know whether or not the resource existed or not(as the previous directory would list it) so in which case a 404 would be proper. However, a user who doesn't have authority to read the previous directory should not have the ability to know whether or not it exists. so a 404 would not be proper here because the proper one would be a 403 because it's inherited from the previous directory.

edit: changed traverse to read, as traversal doesn't mean you can see what else is there.

load more comments (1 replies)
[–] wheezy@lemmy.ml 11 points 1 day ago (2 children)

Wouldn't unauthorized only be meant for AFTER a login is successful?

Like, the user should have to have an active session first. Maybe you're just talking about that case though.

load more comments (2 replies)
load more comments (2 replies)
[–] mech@feddit.org 47 points 1 day ago* (last edited 1 day ago) (6 children)

Yeah, the error message could be more helpful:

Wrong password. Try again.
Hint: the correct password is gHI6shTI2!

load more comments (6 replies)
[–] saltesc@lemmy.world 20 points 1 day ago* (last edited 1 day ago) (1 children)

try all passowrds. Fail

Maybe I don't have an account...

create new account. email already in use. Fail.

Okay, guess I'll reset the password through email.

password can't be one already used. Fail

WHAT?!

load more comments (1 replies)
[–] MimicJar@lemmy.world 7 points 1 day ago

Website: Wrong user name or password.

Me: Password.

Website: Correct! Come right in.

[–] RamenJunkie@midwest.social 11 points 1 day ago

My bigger beef is when I enter the wrong email and it rolls me over to a sign up screen.

Fucker, I have an account, I just don't remeber which of my 20 email addresses it is.

load more comments
view more: next ›