In cass it’s not clear from other comments, if the site tells you either one’s wrong but not both, you can then brute force and try out a bunch of usernames and passwords to effectively farm for both: those that say “wrong username” means that the password is valid, while those that say “wrong password” means you got the username that’s in the system.
Once you’ve collected them, the rest is just trying out every password for every user.
So… while this seems weird for a person, it is very much intentional.
In cass it’s not clear from other comments, if the site tells you either one’s wrong but not both, you can then brute force and try out a bunch of usernames and passwords to effectively farm for both: those that say “wrong username” means that the password is valid, while those that say “wrong password” means you got the username that’s in the system.
Once you’ve collected them, the rest is just trying out every password for every user.
So… while this seems weird for a person, it is very much intentional.
There’s no way of knowing if a password is valid without the matching username. That doesn’t make any sense.
You underestimate my capacity to store passwords in plaintext and iterate over all of them for no good reason
Server should also answer: 5 characters correct, 2 on correct positions
Yeah a wrong username means both are wrong. That’s not how it works, that’s not how any of this works.