That, or the system has a transparent lockout, where if you type your password wrong for e.g. 3 times it’ll stop accepting new tries for a specific duration to stop people trying to guess the password. I’ve run into this type of brute forcing prevention multiple times, though IMO the correct approach would be 2FA coupled with proper passwords instead.
This usually means that your old password expired and the system didnt notify you. Basically, your account is inactive until you set a new password.
Any system I’ve ever used that expires passwords, forces you to set a new one upon logging in with the expired one.
It doesn’t just lock you out and expect you to figure out on your own that you’ve gotta reset it via the ‘forgot your password’ link.
Those systems are well designed (save for the part that they’re using password expiry)
There are a lot more shitty programmers out there than good ones
Oh, Microsoft Active Directory does this, when you log in via a method that doesn’t allow changing the passwords (e.g. VPN login over RADIUS).
That, or the system has a transparent lockout, where if you type your password wrong for e.g. 3 times it’ll stop accepting new tries for a specific duration to stop people trying to guess the password. I’ve run into this type of brute forcing prevention multiple times, though IMO the correct approach would be 2FA coupled with proper passwords instead.