That’s because you’ve been rate limited trying passwords for an hour. When an attacker is randomly trying incorrect passwords, even the correct password will be rejected. Otherwise the protection wouldn’t be very useful.
Bug report: “The ‘reset password’ form doesn’t show an error if you try to reset an account that doesn’t exist.”
Me: “That would be a security risk. Closed.”
Them: “What? How? You have to click the link in the email before it does anything.”
Me: “Try putting in a bogus email on the login screen. See how it says ‘wrong email/password combination’, and not ‘no such account’? If we tell the user whether we recognize a given email, we’re basically providing attackers a list of users they can try passwords for.”
That’s because you’ve been rate limited trying passwords for an hour. When an attacker is randomly trying incorrect passwords, even the correct password will be rejected. Otherwise the protection wouldn’t be very useful.
But then there would be no harm in just stating the rate limit :(
Had a convo with someone a while back:
Bug report: “The ‘reset password’ form doesn’t show an error if you try to reset an account that doesn’t exist.”
Me: “That would be a security risk. Closed.”
Them: “What? How? You have to click the link in the email before it does anything.”
Me: “Try putting in a bogus email on the login screen. See how it says ‘wrong email/password combination’, and not ‘no such account’? If we tell the user whether we recognize a given email, we’re basically providing attackers a list of users they can try passwords for.”