This looks like Hyundai Bluelink, and if it’s not, then it has the exact same issue. The old password was a generated password provided by support.
Whatever site that is, make sure you use a burner email, burner pw (if you get it to work) and joe doe contact info.
To me it looks like their frontend guy just copy/pasted the password field with all validation over without thinking twice. I wouldn’t say this speaks to their general security competence.
While that may be true(copy/🍝), it implies that their code quality and QA process is broken and some of the most important fields/data are not being closely looked it. It certainly DOES speak to their overall security competence.
Could also be backend validation is broken, so FE just shows the user something useful rather than waiting for backend to reject and show a generic error message.
That would be actively malicious. I don’t know how anyone could get the idea to just show “something” if the backend sends a generic error message.
I’m not sure what’s wrong, but have you checked if your tomatoes are fresh?
When you take software reuse a step too far.
