I found an interesting timing bug on Discourse that allows you to be able to have your forum username and password to be the same. When you try to create an account, Discourse does not allow your username and password to be the same. However, you can follow these instructions to have them be the same:
Create an account. (i.e. username can whatever you choose. Password can be HelloWorld100 for example)
When your account is created, go into your user preferences to change your username (If you just go ahead and change your username to be your password and hit, “change username” it will say that the username is unavailable.)
Let’s say your password is HelloWorld100. Now, all you have to do is go into you user preferences and enter HelloWorld1001 as your new username. Quickly press the delete button to delete the extra “1” and then the change username button. Your username will then become equivalent to your password.
I don’t know if this is an issue, but I just wanted to address it just in case. (Even during password reset it won’t allow the username and password to be equivalent. It was just this one case where you had to tap delete and enter very quickly when changing your username!)
I’m also wondering if this timing glitch can bypass other securities such as having the same username as someone else, but I haven’t found anything yet. I will let you know if I find anything else. Thank you!