Because the application doesn't know what is actually wrong.
The error message is actually correct as written. The user entered their username incorrectly or their password incorrectly, or both. The application doesn’t know which and shouldn’t guess!
This is true for existing user with wrong password, but that message would be wrong if the user doesn't exist. In this case, the error clearly would be the username, not the combination user+pass.
The password may be correct for the user (who is a person, and has a password for that service).
Of course the person may have multiple user accounts and he may have given the "wrong" password for the "right" username account, but he may also have given the "right" password for the "wrong" username.
It knows if it doesn't exist though. This whole thing is about sites that say "Username or password is wrong" when they know the username is wrong because it doesn't exist!
What if a username does exists, but isn't my username.
Imagine both 'dave' and 'davr' have an account. I'm 'dave', but I accidentally type 'davr' and my correct password. Now the site will tell me that my password is wrong. So I retype and retype my password over and over again and still can't log in, because the problem isn't the password like the error message says, but rather that I typed the wrong my username.
Is it? I thought it was about sites that say "Username or password is wrong" when they know the username does exist! After all, the author is using his own, correct, username in the examples!
The message is still not wrong if you think of "or" as the boolean or, not as the boolean xor. The system knows the username is wrong but it doesn't know anything about the password.
Assume a site has two accounts "user122" and "user123". When a user logs in with "user122" and a password and it does not work: What happened? Did the user mistype the password or the username?
Assume a user got their username or password wrong. What is more likely, they got their username wrong in a way that happens to be the same as another user, or they got their password wrong?
Most people store passwords in their browser, which already makes the answer not that obvious.
For a rarely used web site, I honestly would have no idea if I registered as bonzini, pbonzini or bonzinip. Now my surname isn't particularly common, but smithj and jsmith might be easily confused.
I have a commonish firstlast@gmail account and frequently receive what is the obvious result of people in various parts of the country incorrectly providing my email to apply for jobs, order pizzas, and use other services.
It is absolutely common for users to supply the incorrect username/email.
Because this prompts them to check the username again, instead of trying to enter their password again while they typo'd the username (but hit a valid account with their typo)?
Because it allows attackers to look for accounts. It's part of your privacy that I shouldn't be able to see if you have an account with sexycatpictures.com
> To prevent attackers from knowing whether an account exists or not your signup must only take an email address and provide no feedback in the UI if the sign up succeeded or not. Instead the user would receive an email saying they’re signed up. The only way an attacker would know if an account exists is if they had access to the target’s email.
> Barring that, “username or password incorrect” is just bullshit.
What he means is the only way it would make sense is if and only if a website's account registration page responding with something like:
"You tried to sign up for me@example.com. If that account didn't already exist, a registration email has been sent to it."
But nobody does that! Registration pages just say "Sorry that email is already in use", which is what makes this whole thing bullshit.