Launcher does throw invalid password when VPN enabled

The reason for this is so automated attempts are slowed down drastically.
If you need to unblock it, contact support.

Support has been contacted, but posted me the standard stuff like "reset your password" even though I clearly told them what I already did. For this automated❓ answer I had to wait for five days.

Three days ago I replied with the same words as in this ticket.. no answer yet. This is a major problem, as am I not the only one using that net range, and everybody can't play anymore... furtheron they all are getting the wrong error message.. which misleads support "Password wrong? Just go and reset it.".

Then also blocking a whole provider range just because some users of that range might have mis-behaved (guessing) - What kind of administration is that? If I would work like that at our company, I'd be fired the same month.

If I could atleast get an info which IP the launcher wants to contact, I could build a temporary network route around the VPN, so I could atleast play while my problem is (hopefully) being adressed.

I have contacted support and the bug tracker to get my problem solved. But none of those did. - Why do they exist in the first place, if they cannot do anything?
Furtheron all MC Launcher bugs have been discarded as "invalid" or "works as intended". Looks like the whole category "MCL" can be removed, just to make life easier for the bug tracker team, as all the MCL requests are invalid anyway. .

The bug tracker is quite literally, for bugs. It's managed by volunteers (green and blue nametags) and we have no access to internal systems. So support is the only way to go.

This may explain something : https://www.reddit.com/r/Minecraft/comments/5vwve1/mojang_now_ban_accounts_for_vpn_usage/

This is indeed a bug, the error message is incorrect.

That message is the one shown when you are throttled

Throttled or not. The message is wrong and misleads error tracking.

I am routing through a VPN because I cannot watch Youtube else.
My location is Germany and I am using a german endpoint.. so Germany2Germany.
Disabling the VPN immediately makes stuff work. Or also it helps routing some IPs around the VPN and immediately works too with VPN enabled. But this is st*pid indeed. Why would somebody need to block VPN usage? What do they fear?
Logging into Minecraft via nickname should be enough to authenticate. The location of that user is irrelevant, as usage of VPN was not part of the use policy of Minecraft when I began playing.

I tried several locations, as my VPN provider offers many in some relevant cities all over the world, but none worked with Minecraft.

Mojang support replied "We do not block any IP of that net range", when I sent them some ranges of my VPN provider. Quite weird. It's not blocked but still is?!
Well.. maybe Mojang is not blocking these ranges, but perhaps Amazon does...?! (As MC stuff relies on Amazon cloud services..)

Lets think it through, the throttling is so bots cant bruteforce accounts. The message shown is invalid password, so they never know if its really invalid or just they are throttled(better if they dont know about the throttling to start)

The reason VPNs are "blocked" is because once somebody tries 3 invalid passwords on that IP, it throttles it for a hour. If someone on the VPN that happens to have the same IP as the one the VPN assigned then to you(they try to assign people to the same IP as to hide more the traffic on each person), then the entire IP is throttled for the hour, thats not something Mojang blocks just because its a VPN, but because people are using it for stuff they shouldnt or really need to get a password manager(that also applies if 3 different people in the same ip try to login with a invalid password, it sums to 3 so everyone is throttled now)

> Throttled or not. The message is wrong and misleads error tracking.

Exactly. This causes a lot of pain to regular users, especially non technical users with the popularity of proxies and VPNs for avoiding unfair geoblocking. I spent about 25 minutes debugging before stumbling onto this thread. I kept reading "turn your VPN off" which caused me the trouble since my VPN was on originally and turning it off was causing the problem.

> Lets think it through, the throttling is so bots cant bruteforce accounts

Bruteforcing is done no matter the errors. If someone is bruteforcing to steal accounts, they will research the service and know what the error message means.

> The reason VPNs are "blocked" is because once somebody tries 3 invalid passwords on that IP, it throttles it for a hour

This is not the issue I had. I found that if my IP jumped somewhere in the world, I would be told "invalid password" immediately (first login attempt failed). The first time I then tried my password a few more times, including typing it manually and copying it from my password manager with a different clipboard which then blocks the IP for an hour.

This wasn't my issue, but 3 incorrect passwords attempts access to an account is no problem, but it needs a proper, correct error message. 3 incorrect attempts on the same IP seems very problematic, especially with common VPNs and proxies. If they are all on different accounts, there is no security lost in allowing 10-50 attempts.

It doesnt happen in just VPNs, happens when you used your 3 tries. The message is the same as invalid password so attackers dont know if the password was really invalid or not, doesnt matter the amount of research if you are not sure. The throttling its to slow them down, not to fully prevent them as thats impossible

I prefer that small annoyance instead of bots stealing accounts