WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#14575 closed defect (bug) (fixed)

Potentially misleading error message for incorrect_password login error

Reported by: mdawaffe Owned by:
Milestone: 3.1 Priority: normal
Severity: minor Version: 3.0.1
Component: UI Keywords: has-patch
Focuses: Cc:

Description

When a user attempts to log in with an incorrect password, the incorrect_password error returned by wp_authenticate_username_password() has the following message.

Incorrect password.

If, instead, the user entered the correct password but for the wrong (though existing) account, the error response is the same. In that situation the message in unhelpful and potentially misleading.

For example, a site might have users 'bobbybluefoot' and 'boobybluefoot'. If bobbybluefoot mistypes his username as boobybluefoot, and enters his password, he gets an "Incorrect password" error.

Attached changes the error message to match the error returned by wp_authenticate().

Invalid username or incorrect password.

Attachments (2)

14575.diff (834 bytes) - added by mdawaffe 5 years ago.
14575.2.diff (896 bytes) - added by nacin 5 years ago.

Download all attachments as: .zip

Change History (10)

@mdawaffe5 years ago

comment:1 @lloydbudd5 years ago

Seems like an opportunity to get rid of invalid you invalid! ;-)

"The username or password you entered is incorrect." seems fairly standard and I don't get distracted by the use of invalid.

comment:2 @matt5 years ago

Since we want to distinguish the errors, would it be better to say "The password you entered for the username XYZ is not correct."

Very open to better phrasing, just want to preserve the fact that this is a different error than the incorrect username one.

comment:3 @GamajoTech5 years ago

matt - would that not be a slight security issue, in that your error message would at least be confirming that such a username exists?

At least with "The username or password you entered is incorrect." any brute force attack still has two elements to get correct at the same time - why make it easy and confirm that one of them is correct?


Offering my own counter-argument, the username could probably be confirmed as existing from the Forgot Password feature - in which case, the benefit of not making the error messages distinct to make attacks harder is lost against the negative impact on usability of log in attempts from valid users.

comment:4 @ryan5 years ago

Our policy is to prefer a better user experience over marginally better security, especially since there are so many places that user names can leak anyway.

comment:5 @ryan5 years ago

  • Keywords ux-feedback added

comment:6 follow-up: @jane5 years ago

  • Keywords ux-feedback removed

I would like to go with Matt's version. It sucks when people get the invalid username or incorrect password message on sites and don't know if it's the wrong password or the wrong username, and takes twice as long for them to go through their various combinations.

"The password you entered for the username XYZ is incorrect."

comment:7 in reply to: ↑ 6 @caesarsgrunt5 years ago

Replying to jane:

I would like to go with Matt's version. It sucks when people get the invalid username or incorrect password message on sites and don't know if it's the wrong password or the wrong username, and takes twice as long for them to go through their various combinations.

I absolutely agree.

"The password you entered for the username XYZ is incorrect."

Since the username is still shown in the input, does saying it again in the error message improve anything?

@nacin5 years ago

comment:8 @nacin5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [16821]) Include the username in the incorrect password message, for clarity. fixes #14575.

Note: See TracTickets for help on using tickets.