By default, the template messages expose information to the end user regarding the existence and validity of a user account, as well as other status information. The default messages make initial system familiarization and testing easier. Depending on the production deployment environment and security policy in place, the exposure of extra information can be easily limited by modifying the error messages accordingly. This will prevent brute force style attacks searching for valid user accounts at the expense of user friendliness.
Similar modifications can be made to all authentication method messages, according to the security policy needs of the deployment. Such modifications should be made to all localized versions, e.g.,
custom/messages/errors_<locale>.properties, as well as to the system default messages in
For user support, the addition of error code numbers to the end of each localized message displayed could be used to assist support staff in quickly identifying error situations. Below, the same message in different languages gives the same error code to assist support staff in identifying the error in a multi-language user environment.