diff --git a/security.rst b/security.rst
index c611fe4654c..ff0ba9812af 100644
--- a/security.rst
+++ b/security.rst
@@ -958,10 +958,9 @@ First, you need to enable CSRF on the form login:
 
 .. _csrf-login-template:
 
-Then, use the ``csrf_token()`` function in the Twig template to generate a CSRF
-token and store it as a hidden field of the form. By default, the HTML field
-must be called ``_csrf_token`` and the string used to generate the value must
-be ``authenticate``:
+Then, add a hidden field to the form. In order to work with the built-in ``FormLoginAuthenticator``,
+the HTML field must be called ``_csrf_token``, and the argument of Twig's ``csrf_token()`` function
+must be called ``authenticate``:
 
 .. code-block:: html+twig
 
@@ -971,7 +970,7 @@ be ``authenticate``:
     <form action="{{ path('app_login') }}" method="post">
         {# ... the login fields #}
 
-        <input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}">
+        <input type="hidden" name="_csrf_token" value="{{ csrf_token('login') }}">
 
         <button type="submit">login</button>
     </form>
diff --git a/security/custom_authenticator.rst b/security/custom_authenticator.rst
index e79d8a002a1..4edb1ab1016 100644
--- a/security/custom_authenticator.rst
+++ b/security/custom_authenticator.rst
@@ -349,9 +349,9 @@ would initialize the passport like this::
     {
         public function authenticate(Request $request): Passport
         {
-            $password = $request->request->get('password');
             $username = $request->request->get('username');
-            $csrfToken = $request->request->get('csrf_token');
+            $password = $request->request->get('password');
+            $csrfToken = $request->request->get('_csrf_token');
 
             // ... validate no parameter is empty