First off: I'm no expert
When logging with let's say a wrong username, like e.g. if someone uses the email, you get the following error message:
Which is a bit weird. The error is "Username can't be an email address" or more general "If existing, the provided username and password don't match." but there's no reason to talk about the "complexity requirements". That only matters when registering.
Sidenote:
Also please note that having complexity requirements isn't necessarily good. An attacker usually receives the password encrypted (if he got it unencrypted, there's no security measure other than 2FA that works anyway). The attack has to crack it. If you have complexity requirements like "Please have: At least one number, at least one upper case, at least one special character" the attacked can e.g. downsize the dictionary used for the attack.
Now the funny thing is, that as far as I can see, the only requirement for the password is "be at least 6 characters long", so the error above is even more weird.
Maybe just provide an entropy score? That doesn't give away information.
When logging with let's say a wrong username, like e.g. if someone uses the email, you get the following error message:
Username or password do not match the length or complexity requirements of our accounts system.
Which is a bit weird. The error is "Username can't be an email address" or more general "If existing, the provided username and password don't match." but there's no reason to talk about the "complexity requirements". That only matters when registering.
Sidenote:
Also please note that having complexity requirements isn't necessarily good. An attacker usually receives the password encrypted (if he got it unencrypted, there's no security measure other than 2FA that works anyway). The attack has to crack it. If you have complexity requirements like "Please have: At least one number, at least one upper case, at least one special character" the attacked can e.g. downsize the dictionary used for the attack.
Now the funny thing is, that as far as I can see, the only requirement for the password is "be at least 6 characters long", so the error above is even more weird.
Maybe just provide an entropy score? That doesn't give away information.