-
Improvement
-
Resolution: Fixed
-
Major
-
None
-
None
User accounts can be tested very easily, there are three (or more) different error messages when login fails:
- user deactivated
- wrong password
- user does not exist
Knowing valid user accounts can be used as a basis for brute force attacks, a generic error message should be shown ("login failed" or something like that).
Acceptance criteria