diff --git a/README.md b/README.md
index e2c7c82..94dc655 100644
--- a/README.md
+++ b/README.md
@@ -103,7 +103,6 @@ Here is a brief overview of the project to help you learn your way around:
 ### To do list
 - Make the wording between "new", "create", "add"; and "remove", "delete" more consistent.
 - User account system, permission levels, private pages.
-- Debate whether the `UserMixin.login` method should accept usernames or I should standardize the usage of IDs only internally.
 - Ability to access user photos by user's ID, not just username.
 - Replace columns like area, ratio, bitrate by using expression indices or views (`width * height` etc).
 - Add a `Photo.merge` to combine duplicate entries.
diff --git a/etiquette/photodb.py b/etiquette/photodb.py
index b7fb349..343c6ec 100644
--- a/etiquette/photodb.py
+++ b/etiquette/photodb.py
@@ -1300,20 +1300,18 @@ class PDBUserMixin:
         yield from self.get_things('user')
 
     @decorators.required_feature('user.login')
-    def login(self, user_id, password):
+    def login(self, username=None, id=None, *, password):
         '''
         Return the User object for the user if the credentials are correct.
         '''
-        user_row = self.sql_select_one('SELECT * FROM users WHERE id == ?', [user_id])
-
-        if user_row is None:
+        try:
+            user = self.get_user(username=username, id=id)
+        except exceptions.NoSuchUser:
             raise exceptions.WrongLogin()
 
         if not isinstance(password, bytes):
             password = password.encode('utf-8')
 
-        user = self.get_cached_instance('user', user_row)
-
         success = bcrypt.checkpw(password, user.password_hash)
         if not success:
             raise exceptions.WrongLogin()
diff --git a/frontends/etiquette_flask/backend/endpoints/user_endpoints.py b/frontends/etiquette_flask/backend/endpoints/user_endpoints.py
index fe42ecd..721e890 100644
--- a/frontends/etiquette_flask/backend/endpoints/user_endpoints.py
+++ b/frontends/etiquette_flask/backend/endpoints/user_endpoints.py
@@ -64,8 +64,7 @@ def post_login():
         # information (user exists) leak via response time?
         # Currently I think not, because they can check if the account
         # page 404s anyway.
-        user = common.P.get_user(username=username)
-        user = common.P.login(user.id, password)
+        user = common.P.login(username=username, password=password)
     except (etiquette.exceptions.NoSuchUser, etiquette.exceptions.WrongLogin):
         exc = etiquette.exceptions.WrongLogin()
         response = etiquette.jsonify.exception(exc)