Error Message on Login

First off: I'm no expert

When logging with let's say a wrong username, like e.g. if someone uses the email, you get the following error message:
Username or password do not match the length or complexity requirements of our accounts system.

Which is a bit weird. The error is "Username can't be an email address" or more general "If existing, the provided username and password don't match." but there's no reason to talk about the "complexity requirements". That only matters when registering.

Sidenote:
Also please note that having complexity requirements isn't necessarily good. An attacker usually receives the password encrypted (if he got it unencrypted, there's no security measure other than 2FA that works anyway). The attack has to crack it. If you have complexity requirements like "Please have: At least one number, at least one upper case, at least one special character" the attacked can e.g. downsize the dictionary used for the attack.

Now the funny thing is, that as far as I can see, the only requirement for the password is "be at least 6 characters long", so the error above is even more weird.

Maybe just provide an entropy score? That doesn't give away information.

Comments

  • Hi there! If I'm understanding your issue here correctly, you don't always receive that exact same error based on entering an incorrect username or password - only in certain instances. In particular, it sounds like you tried to enter your email address (which is both too long and contains special characters, neither of which are allowed for usernames), so you received the message regarding length and complexity requirements. If you were to just enter a username and/or password that were invalid, you receive the error message "invalid username or password".

    I can understand how that may be a bit confusing based on the error message it provides seeming like it may be talking about your password when it's likely referring to your username (in this case, the fact that you're trying to enter your email address vs. your username), so I'll be sure to share that feedback with the team!

    I'm going to go ahead and close this thread out now, but please don't hesitate to reach back out if there's anything else we can assist with in the meantime!
    3ztrsitvhj3s.gif
This discussion has been closed.