Make WordPress Core

Opened 19 years ago

Closed 19 years ago

#1129 closed defect (bug) (wontfix)

Don't distinguish between bad login and bad password in error messages

Reported by: anonymousbugger's profile anonymousbugger Owned by: matt's profile matt
Milestone: Priority: normal
Severity: minor Version: 1.5
Component: Security Keywords:
Focuses: Cc:


Currently wp-login.php gives different error messages for bad logins and bad passwords. This may be user-friendly but it also helps hackers because it tells them when they have found a valid user name (ie. they can concentrate on the password then).
Please give out the same error message for both bad logins and bad passwords.

Attachments (1)

login.patch (984 bytes) - added by anonymousbugger 19 years ago.

Download all attachments as: .zip

Change History (5)

#1 @anonymousbugger
19 years ago

  • Patch set to No

#2 @ryan
19 years ago

  • Status changed from new to assigned

#3 @anonymousbugger
19 years ago

Something similar needs to be done for wp-login.php/retrievepassword, otherwise that can be abused to find valid login names.

#4 @matt
19 years ago

  • Owner changed from anonymous to matt
  • Resolution changed from 10 to 90
  • Status changed from assigned to closed

They can figure out usernames a million easier ways.

Note: See TracTickets for help on using tickets.