Our internal security team has identified that the Control portal is not currently compliant with OWASP (Open Web Application Security Project) Top 10 Application Security Risks. Per the ticket I opened we are submitting this feature request, which is actually to limit the response dialog to only "Login failed; Invalid userID or password"
Authentication and Error Messages
Incorrectly implemented error messages in the case of authentication functionality can be used for the purposes of user ID and password enumeration. An application should respond (both HTTP and HTML) in a generic manner.
An application should respond with a generic error message regardless of whether the user ID or password was incorrect. It should also give no indication to the status of an existing account.
Incorrect Response Examples (All Currently Present in Control)
"Login for User foo: invalid password"
"Login failed, invalid user ID"
"Login failed; account disabled"
"Login failed; this user is not active"
Correct Response Example
"Login failed; Invalid userID or password"
The standard from OWASP is A2:2017 Broken Authentication - https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
From their cheat sheet section 1.1.8 Authentication and Error messages - https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Customer support service by UserEcho