> It's common practice to not give an attacker more info than needed Which does not necessitate LYING to the user. A static "Password wrong or login timeout in effect <more helpful info on how that tworks>" would also be infinitely better. Martin On Fri, Apr 12, 2024 at 2:25 PM Georg Pfahler <georg@xxxxxxx> wrote: > > Hi there, > > On Fri, Apr 12, 2024 at 11:36:43AM +0200, Martin Rys wrote: > > > FYI, the "idiotic default" may feel less annoying when you use the > > > documented solution > > > > Would be great if one got this as an error message when the logins > > start timing out. > > > > Unfortunately that's not the case, the UX is beyond terrible, you get > > the same identical error for a WRONG password as for the TIMED OUT > > password, making people waste time and be frustrated to the point of > > going on mailing lists. > > It's common practice to not give an attacker more info than needed, so > "wrong password" and "locked user" is most likely intended to give the > same error message. > > -- > Georg
