It doesn't pass the front end validator, but they check the password strength anyways (on the BE for some reason) to power their indicator. That probably has insufficient guarding on the backend (any number of things), and returns a -1 score for password strength. That yields a second error that quickly overwrites the original length error, and it looks silly. The problem lies _mostly_ on their backend because it shows that their validators aren't aligned, and their strength function provides incorrect results. It could be a source of problems for them.
It doesn't pass the front end validator, but they check the password strength anyways (on the BE for some reason) to power their indicator. That probably has insufficient guarding on the backend (any number of things), and returns a -1 score for password strength. That yields a second error that quickly overwrites the original length error, and it looks silly. The problem lies _mostly_ on their backend because it shows that their validators aren't aligned, and their strength function provides incorrect results. It could be a source of problems for them.