Post-account-activation delay-error should tell me about the duration

[thetillhoff]

After creating an account on your site, and activating it, I got the following error message when trying to log in:

Sorry, you cannot log in yet. As an anti-spam measure, there is a delay after activating a local account before you can log in.

I've now waited for over 10 minutes, but the problem persists. It's really annoying to not know how long the delay is. Is it a minute? Five? Ten? Is it 24h? Not knowing the delay means I'm brute-force guessing that delay :( Which in turn creates unnecessary traffic on your side as well...

[david-a-wheeler]

The delay is configurable. We could display its current value.

The bigger problem is that if we say anything, we tell the spammers that too. I fear that they'd return. But maybe just having a delay, even if they know what it is, will work well enough. Thoughts?

[rfc-st]

Hi,

Suggestion: show on https://www.bestpractices.dev/en/signup that after creating and activating the account (and as an anti-spam measure) it will take some time before one can access the platform.

Thanks!.

[david-a-wheeler]

Fair point. Proposal here: https://github.com/coreinfrastructure/best-practices-badge/pull/2178

We can't give the exact numbers without also giving them to spammers, and we can change them anyway.

[thetillhoff]

I'd appreciate if you could define "a while" more clearly in "If you didn't receive your activation link, and it's been a while [...]". My initial message still applies with the current version; Is it 5 minutes, 5 hours, 5 weeks?

The exact individual duration doesn't matter for non-spammers anyway.