If either the username does not exist, or the password does not match the existing username, then "incorrect username or password" is correct by logic. It might be incorrect if assuming xor meaning, because both could be wrong -- username and password.
The parent's point also was that the service can not identify which one is wrong. Was it the username if the password did not match but matches any other account?
> No, that's highly unlikely.
Why should it be unlikely to mistype the username? Misspellings happen. Some people check what they entered, some don't. People confuse their usernames when they have many. One username might be someone else's on another service. Etc.
> If the password doesn't match, just say so.
Which is wrong if the error lies with the username, not the password, and the mistyped username happens to exist.
If either the username does not exist, or the password does not match the existing username, then "incorrect username or password" is correct by logic. It might be incorrect if assuming xor meaning, because both could be wrong -- username and password.
The parent's point also was that the service can not identify which one is wrong. Was it the username if the password did not match but matches any other account?
> No, that's highly unlikely.
Why should it be unlikely to mistype the username? Misspellings happen. Some people check what they entered, some don't. People confuse their usernames when they have many. One username might be someone else's on another service. Etc.
> If the password doesn't match, just say so.
Which is wrong if the error lies with the username, not the password, and the mistyped username happens to exist.