Specify reason for login failure.

[strbean]

Login failure message is "Please try again.", regardless of reason for failure. If an account is not active or not approved, the user will assume they are getting their login details incorrect.

[maryjgoldman]

We actually may not want to specify the reason. It is common to not give a reason because of hackers. If you give more information, you are helping them figure out what they need to do to enter the site. Can we instead give an email address to contact if they think they are reaching this in error? I'm also open to hearing that this is being over-protective! Perhaps we could keep track of how often people are hitting this for a reason besides incorrect login details?

We can also make sure that in the email we send users after they attempt to sign up that we say that we will activate their login and send them an email when they are active. Not that many people will read the email! But it at least will reach a few people and help them out.

[strbean]

I agree we don't want to give too much information. I think perhaps the following breakdown would be safe:

1) "Incorrect login details" - the user did not enter a correct email and password. This won't confirm whether a given email is associated with an account.

2) "Account not active" / "Account not approved" - only give this message if the email and password are correct. That way a user won't think they are in password limbo and reset their password repeatedly.

3) "Server error" - ideally shouldn't happen, but should be differentiated if it does.

[maryjgoldman]

This seems good. There is no way to learn if an email is associated with an account unless you have the correct password, which makes sense to me. Thanks for talking me through it!

[maryjgoldman]

Let's still include some text in the email to the user in hopes that a few people will read it.