Opened 14 years ago
Closed 14 years ago
#14575 closed defect (bug) (fixed)
Potentially misleading error message for incorrect_password login error
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | 3.1 | Priority: | normal |
| Severity: | minor | Version: | 3.0.1 |
| Component: | UI | Keywords: | has-patch |
| Focuses: | Cc: |
Description
When a user attempts to log in with an incorrect password, the incorrect_password error returned by wp_authenticate_username_password() has the following message.
Incorrect password.
If, instead, the user entered the correct password but for the wrong (though existing) account, the error response is the same. In that situation the message in unhelpful and potentially misleading.
For example, a site might have users 'bobbybluefoot' and 'boobybluefoot'. If bobbybluefoot mistypes his username as boobybluefoot, and enters his password, he gets an "Incorrect password" error.
Attached changes the error message to match the error returned by wp_authenticate().
Invalid username or incorrect password.
Attachments (2)
Change History (10)
#2
@
14 years ago
Since we want to distinguish the errors, would it be better to say "The password you entered for the username XYZ is not correct."
Very open to better phrasing, just want to preserve the fact that this is a different error than the incorrect username one.
#3
@
14 years ago
matt - would that not be a slight security issue, in that your error message would at least be confirming that such a username exists?
At least with "The username or password you entered is incorrect." any brute force attack still has two elements to get correct at the same time - why make it easy and confirm that one of them is correct?
Offering my own counter-argument, the username could probably be confirmed as existing from the Forgot Password feature - in which case, the benefit of not making the error messages distinct to make attacks harder is lost against the negative impact on usability of log in attempts from valid users.
#4
@
14 years ago
Our policy is to prefer a better user experience over marginally better security, especially since there are so many places that user names can leak anyway.
#6
follow-up:
↓ 7
@
14 years ago
- Keywords ux-feedback removed
I would like to go with Matt's version. It sucks when people get the invalid username or incorrect password message on sites and don't know if it's the wrong password or the wrong username, and takes twice as long for them to go through their various combinations.
"The password you entered for the username XYZ is incorrect."
#7
in reply to:
↑ 6
@
14 years ago
Replying to jane:
I would like to go with Matt's version. It sucks when people get the invalid username or incorrect password message on sites and don't know if it's the wrong password or the wrong username, and takes twice as long for them to go through their various combinations.
I absolutely agree.
"The password you entered for the username XYZ is incorrect."
Since the username is still shown in the input, does saying it again in the error message improve anything?
Seems like an opportunity to get rid of invalid you invalid! ;-)
"The username or password you entered is incorrect." seems fairly standard and I don't get distracted by the use of invalid.