On Wed, Aug 6, 2025 at 12:19 AM Alain D D Williams <[email protected]> wrote: > > In my investigations I did read a note somewhere that the only error that is > given is "Bad passphrase" no matter what the error really is. This is crap > coding of the highest order (high as in 'it stinks'), it is unfortunately all > too common in a lot of s/ware - little effort made to give meaningful error > messages.
I'm not sure it's the correct answer for this specific situation, but in many sensitive authentication situations this is actually by design. The classic example is that you can check if someone has registered their account at a "sensitive" website (whatever is sensitive or illegal in your country) by just trying an email and a random password. If the account exists it may show "Wrong password" and if it doesn't it may show "No such user". Bingo, now you know if your person-of-interest uses that website or not.
