> The article literally tells how the username can already be validated.
The article says how many websites can allow that. This has nothing to do with the theory. This identifies poor implementations. These implementations trade reducing friction in signups, for some user security.
There's nothing wrong with "Invalid Username or Password" (eg ssh, et al), unless the security mechanism is self-sabotaged.
The article says how many websites can allow that. This has nothing to do with the theory. This identifies poor implementations. These implementations trade reducing friction in signups, for some user security.
There's nothing wrong with "Invalid Username or Password" (eg ssh, et al), unless the security mechanism is self-sabotaged.