As per my end-of-month processing, I update and rotate/change the passwords and login credentials for the hundreds of websites and logins I own and use on a regular basis.
I reached my domain registrar, DomainSite, and successfully changed my password to something nice and secure, and their system happily accepted it.
I logged out, and attempted to log in with that new password to verify that it was a successful change, and was denied. I tried again, denied again, and then I received this message from their system:
“For security reasons, if you enter an incorrect password for this account more than 10 times, you will be blocked from this website and will be required to pay a fee to regain access.”
Not only is this an unhelpful message, but it also puts the burden on the owner of the account to pay up if someone else decides to try to lock out their account.
In other words, I can attempt to log into DomainSite as another user more than 10 times, and now that user will have to pay Domainsite to restore their password.
Seriously, who thought this up? In my multi-decade experience of using the Web, I’ve never heard of a single case of someone attempting to charge the owner of a valid login credential, for an account that was locked out and had to be reset or restored.
DomainSite, tsk, tsk! You should know better!
If you’re going to permit someone to change their password legitimately, verify the password or at least describe the password policy so we can decide how complex we can make our passwords, before we lock ourselves out, because your system fails to clarify this on both sides.