The current CAPTCHA implementation may not be secure

2010-04-18T01:44:58
ID ATLASSIAN:JRASERVER-21035
Type atlassian
Reporter padawan
Modified 2017-02-17T06:16:59

Description

The current CAPTCHA implementation displays a different message if the CAPTCHA is being displayed and the captcha is entered correctly but the password for the user is not, than if the CAPTCHA is entered incorrectly. This is giving away more information than a login screen should. The error message that is displayed whilst a captcha is being displayed should remain constant.

eg. "Sorry, your username, password or captcha is incorrect - please try again."