It's common practice to not give an attacker more info than needed
Which does not necessitate LYING to the user. A static "Password wrong or login timeout in effect <more helpful info on how that tworks>" would also be infinitely better. Martin On Fri, Apr 12, 2024 at 2:25 PM Georg Pfahler <georg@grgw.de> wrote:
Hi there,
On Fri, Apr 12, 2024 at 11:36:43AM +0200, Martin Rys wrote:
FYI, the "idiotic default" may feel less annoying when you use the documented solution
Would be great if one got this as an error message when the logins start timing out.
Unfortunately that's not the case, the UX is beyond terrible, you get the same identical error for a WRONG password as for the TIMED OUT password, making people waste time and be frustrated to the point of going on mailing lists.
It's common practice to not give an attacker more info than needed, so "wrong password" and "locked user" is most likely intended to give the same error message.
-- Georg