I've worked with a CRM product that allowed non-unique usernames. That's right the usernames could be duplicated, so we had like 10 jsmith's. It would parse the username/password combo, and if one matched, that's who you logged in as. I never got to test what happened when jsmith had the same password as another jsmith. I'm sure the results would have been terrifying and hilarious. Apparently, the history here is that it used to log people in using their email as their only username, but someone here didn't like that and the vendor tacked on this half-assed solution. So you email is your unique identifier but its not used during login.

I suspect there's a lot of poorly written software that still does stuff like this. The message is still valid in these cases as well.

I'm going to guess when a new jsmith comes along and tries to sign up with the same password as another jsmith, you get a helpful 'Sorry, that user name and password combination are already in use.'

:P

If they're stupid enough to allow non-unique usernames I wouldn't bet on getting a helpful answer like that :)

You do realize the helpful answer reveals another users username and password...

Anything other than allowing the user to register with the same username and password as someone else will already give it away, so I don't see the harm in spelling it out.

Just because the requirement was remarkably dumb doesn't mean the developers that implemented it were.

I think Amazon used to do this back in the depths of time.

This seems like a messaging problem?

"Password does not match our records for username/email XXX. Please check that both password and username are correct."

Responding to below This reads to me like a more verbose version of "Incorrect username or password."

Note this version is not wordsmithed and could probably be done better but the goal and inherent difference of this to the original is to let the user know that the username exists and that its the password which does not match.

This reads to me like a more verbose version of "Incorrect username or password." I'd favour the shorter version that gets the same point across.

It's not the same, since his message indicates that the username does exist whereas your message does it.

"username or password incorrect" does not imply that the username was correct or incorrect. The system is saying one or both fields are incorrect.

Read the proposed message a few comments up. It actually says "username & password do not match the records we have for username XXX", thus implying that username XXX is a valid username. "Username or password is incorrect" does not indicate whether the username is valid or not.

This doesn't solve the problem for me. With some bank/credit card sites my username is "username". Others require a number and hence it's "username1" or "username!4". When I get rejected upon login it would be nice to know if I need to cycle through usernames or passwords.

That statement doesn't help the user fix a problem. Either you tell the user that one of the items is incorrect - "This password does not match our records" or "This user name does not match our records". Simply stating "Incorrect username/password" isn't sufficient enough information to prevent the user from making the same error (or even a different one) again.

Here's what I tell the developers I work with: Design for the users, not for development ease. This pattern has been successfully implemented by literally hundreds (thousands? hundreds of thousands?) of websites, so there's no excuse for trying to cut a corner and try to concatenate use cases. Either the user name is right and the password is wrong, or the user name is wrong and the password doesn't matter, or both are wrong and through some miracle of absolute unicorn user error they've managed to log in to someone else's account - at which point you have a different issue altogether.

You didn't really address the parent's point, which is that their misspelled username might match another real username. In this case, telling them that their password is incorrect is actively sending them down the wrong path, because they are likely to try fixing the password field rather than the username field.

facebook handles this case by showing the profile picture of the user matching the email field.

banks and yahoo handle this case by showing a magic image that you chose, which also provides anti-phishing feedback

Telling them "correct password, wrong email" seems like a bit of an information leak if you ask me.

I think a "did you mean?" output in case of a bad password as long as there are lexically similar usernames in the database.

Ignoring the fact that doing that would be retarded, if you're following modern practices and hashing passwords with KDFs that's not really possible without killing your server.

Sorry, should have added a :-P to indicate my sarcasm.

More likely, people won't forget how to spell their email address, or make a mistake in typing it that isn't immediately obvious; they might not remember which of their emails they used to sign up, though, even if they only have a couple. No one else can sign up with an email address that belongs to you.

You'd be surprised... After removing the "type it twice" box during registration, the bounce rate of "welcome" emails went up quite a bit.

That's interesting. I always felt that repeating that field was a sort of faux validation, but maybe not!

Well, a lot of people do not know their own phone number.

I've seen mistype rates of close to 20% without the second field. Still, my boss won't allow me to put in the second field because he feels it would hurt the user experience.

Just did that with a password the other day. At least I didn't mistype both my email and password when signing up...

But what happened to your conversion rate?

Well you can at least inform the user that the username is incorrect if there is no user by that name.

You would still have the issues described in the OP. If it says "username incorrect" only when that user does not exist, you can still figure out a username by just trying them with a random password. If you get told "password incorrect" you know the username you just tried already exists.

Why is that an issue? You can also do that by trying to create accounts.

"You don't exist. Go away." is my personal favourite.

+1 Agreed. Always loved original user messages. Wish OSes were more funny in their alert messages.

I actually have two amazon accounts with the same email address (username), one has prime and the other one doesn't. Sometimes I type in the 'other' password and get the non-prime account and get confused.

"is still the more correct and useful statement"

No, it is usually incorrect and it is much less helpful than identifying which is incorrect.

"it is entirely likely that the mistyped username is somebody else's valid username"

No, that's highly unlikely.

If the email isn't in the DB, just say so. If the password doesn't match, just say so.

> No, it is usually incorrect...

If either the username does not exist, or the password does not match the existing username, then "incorrect username or password" is correct by logic. It might be incorrect if assuming xor meaning, because both could be wrong -- username and password.

The parent's point also was that the service can not identify which one is wrong. Was it the username if the password did not match but matches any other account?

> No, that's highly unlikely.

Why should it be unlikely to mistype the username? Misspellings happen. Some people check what they entered, some don't. People confuse their usernames when they have many. One username might be someone else's on another service. Etc.

> If the password doesn't match, just say so.

Which is wrong if the error lies with the username, not the password, and the mistyped username happens to exist.

Yes, you're correct that it's logically correct. I was responding more to "more useful" when it is obviously less useful.

It's unlikely that a typo'd email address is in the DB.