Greetings, glorious adventurers! If you're joining in our Alpha One spot testing, please follow the steps here to see all the latest test info on our forums and Discord!
Error Message on Login
First off: I'm no expert
When logging with let's say a wrong username, like e.g. if someone uses the email, you get the following error message:
Which is a bit weird. The error is "Username can't be an email address" or more general "If existing, the provided username and password don't match." but there's no reason to talk about the "complexity requirements". That only matters when registering.
Sidenote:
Also please note that having complexity requirements isn't necessarily good. An attacker usually receives the password encrypted (if he got it unencrypted, there's no security measure other than 2FA that works anyway). The attack has to crack it. If you have complexity requirements like "Please have: At least one number, at least one upper case, at least one special character" the attacked can e.g. downsize the dictionary used for the attack.
Now the funny thing is, that as far as I can see, the only requirement for the password is "be at least 6 characters long", so the error above is even more weird.
Maybe just provide an entropy score? That doesn't give away information.
When logging with let's say a wrong username, like e.g. if someone uses the email, you get the following error message:
Username or password do not match the length or complexity requirements of our accounts system.
Which is a bit weird. The error is "Username can't be an email address" or more general "If existing, the provided username and password don't match." but there's no reason to talk about the "complexity requirements". That only matters when registering.
Sidenote:
Also please note that having complexity requirements isn't necessarily good. An attacker usually receives the password encrypted (if he got it unencrypted, there's no security measure other than 2FA that works anyway). The attack has to crack it. If you have complexity requirements like "Please have: At least one number, at least one upper case, at least one special character" the attacked can e.g. downsize the dictionary used for the attack.
Now the funny thing is, that as far as I can see, the only requirement for the password is "be at least 6 characters long", so the error above is even more weird.
Maybe just provide an entropy score? That doesn't give away information.
0
This discussion has been closed.
Comments
I can understand how that may be a bit confusing based on the error message it provides seeming like it may be talking about your password when it's likely referring to your username (in this case, the fact that you're trying to enter your email address vs. your username), so I'll be sure to share that feedback with the team!
I'm going to go ahead and close this thread out now, but please don't hesitate to reach back out if there's anything else we can assist with in the meantime!