12 Apr
2024
12 Apr
'24
5:56 p.m.
Hi there, On Fri, Apr 12, 2024 at 11:36:43AM +0200, Martin Rys wrote:
FYI, the "idiotic default" may feel less annoying when you use the documented solution
Would be great if one got this as an error message when the logins start timing out.
Unfortunately that's not the case, the UX is beyond terrible, you get the same identical error for a WRONG password as for the TIMED OUT password, making people waste time and be frustrated to the point of going on mailing lists.
It's common practice to not give an attacker more info than needed, so "wrong password" and "locked user" is most likely intended to give the same error message. -- Georg