If the user enters a username of _aa on sign up, this fits the criteria as posed by the error but is not accepted by Zanata, as It does not start with a letter/number.
The error message given is "Between 3 and 20 letters, numbers and underscores only"
I'm thinking it would be best to not show any instructions initially, but, do live validation, after ~.5sec delay after they finish typing (this could also check for username conflicts).
After it does all the checks, display any that are failing.
It would be good to clarify those rules too, I'm not really sure what the rules are from that sentence.
I'm thinking that any sentence which completely and accurately describes all the validation rules will be at least as difficult to read as the regex.
I think we do these validations using a single regexp, so the bean validator will only return a single failure (not one for each aspect). If we want separate messages, we might need to separate those rules into their own validators, or a custom one.
Writing a single validation certainly sounds efficient, but if the validation fails, the only thing you can say for sure is "the input did not match the regex '#$@&%*
Perhaps, for the sake of better error messages, it would be better to run against multiple regexes, which should be easier to describe in English.
The issue that arises from the above is the user who breaks more than one rule. e.g.
between 3 and 20 letters, numbers, or underscores
must start with a letter or number
At least 3 alphanumeric characters required
A comedy of errors that isn't funny for the user, and is quite often seen in password strength validation.