WordPress.org

Make WordPress Core

Opened 14 years ago

Closed 14 years ago

Last modified 13 years ago

#2901 closed enhancement (fixed)

Incorrect Login Feedback

Reported by: ptvguy Owned by: Nazgul
Milestone: Priority: low
Severity: minor Version: 2.0.3
Component: Security Keywords: security, feedback, login bg|has-patch
Focuses: Cc:

Description

User, Jared, requests feedback for incorrect login. Says that going directly back to login box results in typing password in plain text for all to see if user is in a hurry.

Attachments (2)

2901.diff (629 bytes) - added by Nazgul 14 years ago.
2901b.diff (518 bytes) - added by Nazgul 14 years ago.

Download all attachments as: .zip

Change History (12)

@Nazgul
14 years ago

#1 @Nazgul
14 years ago

  • Keywords bg|has-patch added
  • Owner changed from anonymous to Nazgul
  • Status changed from new to assigned

Small patch which gives a 'Incorrect username or password' message on a faulty login.

Also, the 'relevant' part of the IRC discussion:

[00:46] jared: BasB: When I access the login page, if I type admin and then hit enter there is no change and then I tend to type in my password next and it appears with admin in the top box
[00:47] jared: This not only shows anyone behind me my pass code. The same one I use for all the important stuff. But it will come up when I type admin, because the browser wants to autofill that box
[00:48] ptvGuy: I never use autfill
[00:48] ptvGuy: I've done that in a hurry
[00:49] jared: ptvGuy: I do, I think its great. But in this case its not so great. Infact I have to turn it off or reset it just to prevent this situation.
[00:50] ptvGuy: I use FireFox on a private computer with password manager so admin is all I need to type
[00:50] ptvGuy: Then, when I'm on someone else's computer with IE, I forget and get in a hurry
[00:50] BasB: First of all, don't use passwords in more than one place (especially in important ones) Second, why do you press enter after entering admin? Shouldn't that be tab?
[00:51] ptvGuy: Yeah, well, you know, when you gotta blog, you gotta blog.
[00:52] ptvGuy: Some of us get in too much of a  hurry
[00:53] ptvGuy: Anyway, I don't think that's a bug
[00:54] BasB: So you want some kind of 'username or password incorect' message? To know that you pressed the wrong button or entered the wrong user/pass?
[00:54] ptvGuy: The only possible fix for that would be hiding both the username and password fields
[00:58] ptvGuy: Anyway, I don't think that the problem you have is a bug.
[00:58] jared_: But back to the login bug. I have had this situation occur half a dozen times.
[00:59] jared_: Usually in a program when you sign in, if the name and password are not correct, you are given feed back
[00:59] ptvGuy: Most just pop you back to the login window
[01:00] jared_: In this case the feedback is missing, so if one is in a hurry or not paying strict attention one easily types the password into the visible text area of the name box
[01:00] jared_: I have only noticed this issue in wordpress
[01:01] jared_: In fact it took me quite a few minutes to figure out how to reproduce the issue. It never really made sense and as soon as I was paying attention to the login I didn't have the problem
[01:02] ptvGuy: So you want an incorrect login feedback page forcing you to choose the option to try to log in again?
[01:02] BasB: If you enter a feature request in trac, I'll create a patch that gives a 'Incorrect username or password' notification for it.

#2 @ryan
14 years ago

wp_login() sets an error message if there is a bad username or password. It does so by setting the global $error var, which is kinda ugly, but it does work.

#3 @ryan
14 years ago

Ah, hold on. I see that we aren't hitting wp_login() if the password is empty. We shouldn't need the first part of the patch, but the last part is needed. How about if empty checks for both username and password with separate messages for each. Use the same message used in wp_login():

'<strong>Error</strong>: The password field is empty.'

@Nazgul
14 years ago

#4 @Nazgul
14 years ago

Modified patch, based on Ryan's suggestions.

#5 @ryan
14 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [3966]) Give feedback if username or password fields are empty. Props Nazgul. fixes #2901

#6 @ryan
14 years ago

(In [3967]) Give feedback if username or password fields are empty. Props Nazgul. fixes #2901

#7 @ryan
14 years ago

  • Milestone changed from 2.1 to 2.0.4

#8 @ryan
14 years ago

(In [3971]) Don't trigger warning when first visiting login. fixes #2901

#9 @ryan
14 years ago

(In [3972]) Don't trigger warning when first visiting login. fixes #2901

#10 @(none)
13 years ago

  • Milestone 2.0.4 deleted

Milestone 2.0.4 deleted

Note: See TracTickets for help on using tickets.