The trick here is that most login forms use the backing database for authentication, so all we need to do is return a “true” result — we don’t really need to guess anyone’s password. Sometimes we don’t even need to know a username (though I suspect that in practice this may lead to weird authorization problems).