Hi,
OOTB hybris blocks a user account after 5 unsuccessful login attempts, but after the account is locked it still shows "Your username or password was incorrect." generic error message. If we change this error message to be more informative like "Your account is locked.", will it be a security concern as the brute force attacker can find out the valid usernames from the site and then misuse them for further security attacks.
I am referring the below statement from the link https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks (point 2 under section locking accounts) .
•Because you cannot lock out an account that does not exist, only valid account names will lock. An attacker could use this fact to harvest usernames from the site, depending on the error responses.
I am using Hybris 6.6 .