Context Navigation

← Previous Ticket
Next Ticket →

#1129 closed defect (bug) (wontfix)

Don't distinguish between bad login and bad password in error messages

Reported by:	anonymousbugger	Owned by:	matt
Milestone:		Priority:	normal
Severity:	minor	Version:	1.5
Component:	Security	Keywords:
Focuses:		Cc:

Description

Currently wp-login.php gives different error messages for bad logins and bad passwords. This may be user-friendly but it also helps hackers because it tells them when they have found a valid user name (ie. they can concentrate on the password then).
Please give out the same error message for both bad logins and bad passwords.

Attachments (1)

login.patch (984 bytes) - added by anonymousbugger 20 years ago.

Download all attachments as: .zip

Change History (5)

#1 @anonymousbugger
20 years ago

Patch set to No

#2 @ryan
20 years ago

Status changed from new to assigned

#3 @anonymousbugger
20 years ago

Something similar needs to be done for wp-login.php/retrievepassword, otherwise that can be abused to find valid login names.

#4 @matt
20 years ago

Owner changed from anonymous to matt
Resolution changed from 10 to 90
Status changed from assigned to closed

They can figure out usernames a million easier ways.

@anonymousbugger
20 years ago

Attachment login.patch added

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats:

Make WordPress Core