Ticket #1129 (closed defect (bug): wontfix)

Opened 7 years ago

Last modified 7 years ago

Don't distinguish between bad login and bad password in error messages

Reported by: anonymousbugger Owned by: matt
Priority: normal Milestone:
Component: Security Version: 1.5
Severity: minor Keywords:
Cc:

Description

Currently wp-login.php gives different error messages for bad logins and bad passwords. This may be user-friendly but it also helps hackers because it tells them when they have found a valid user name (ie. they can concentrate on the password then). Please give out the same error message for both bad logins and bad passwords.

Attachments

login.patch Download (984 bytes) - added by anonymousbugger 7 years ago.

Change History

comment:1   anonymousbugger7 years ago

  • Patch set to No

comment:2   ryan7 years ago

  • Status changed from new to assigned

comment:3   anonymousbugger7 years ago

Something similar needs to be done for wp-login.php/retrievepassword, otherwise that can be abused to find valid login names.

comment:4   matt7 years ago

  • Owner changed from anonymous to matt
  • Status changed from assigned to closed
  • Resolution changed from 10 to 90

They can figure out usernames a million easier ways.

anonymousbugger7 years ago

Note: See TracTickets for help on using tickets.