Feature #2569
Updated by Alexander Watzinger 6 months ago
Ferat Aydin from "SEC4YOU":https://www.sec4you-pentest.com reported that our login error messages are not confirming to a security guideline because usernames can be found out. Although I (Alex) am not convinced that the seemingly security improvement justifies sacrificing to sacrifice usability, it was the team decided in our last [[Meeting_2025-06-26|developer meeting]] to follow this guideline. So in future we won't tell users at login if their username or password was incorrect but instead will give a generic "Invalid user or password" "something was incorrect* error message.