Login rate limit system might confuse users #31
Description
The login rate limit system works good, but the problem is that it still says "The maximum login attempts have been exceeded, please wait a few moments before trying again." even after 10 seconds of it being blocked if entering an incorrect password.
This might confuse users because they might think it didn't actually check the password entered. I think the incorrect login details message should be shown if the user isn't blocked from logging in (i.e. they entered a wrong password 4 times) and then after 6 times show the rate limit message again.
- User enters password wrong 3 times
- Rate limit message is displayed
- User waits a few moments (10 seconds)
- User tries again, but still gets the rate limit message, and gets confused (the submitted details are checked, but the user wouldn't think so)
- User waits a while again, but after entering it incorrect again, still gets the rate limit message
If they enter the password correct it does work, but my point is that this would probably confuse the user. Is there anyway to make it say the incorrect password message while the user is not blocked from logging in (instead of the rate limit message no matter what after the attempts are > 3)?