Incorrect Login Feedback

[ptvguy]

User, Jared, requests feedback for incorrect login. Says that going directly back to login box results in typing password in plain text for all to see if user is in a hurry.

[Nazgul]

Small patch which gives a 'Incorrect username or password' message on a faulty login.

Also, the 'relevant' part of the IRC discussion:

[00:46] jared: BasB: When I access the login page, if I type admin and then hit enter there is no change and then I tend to type in my password next and it appears with admin in the top box
[00:47] jared: This not only shows anyone behind me my pass code. The same one I use for all the important stuff. But it will come up when I type admin, because the browser wants to autofill that box
[00:48] ptvGuy: I never use autfill
[00:48] ptvGuy: I've done that in a hurry
[00:49] jared: ptvGuy: I do, I think its great. But in this case its not so great. Infact I have to turn it off or reset it just to prevent this situation.
[00:50] ptvGuy: I use FireFox on a private computer with password manager so admin is all I need to type
[00:50] ptvGuy: Then, when I'm on someone else's computer with IE, I forget and get in a hurry
[00:50] BasB: First of all, don't use passwords in more than one place (especially in important ones) Second, why do you press enter after entering admin? Shouldn't that be tab?
[00:51] ptvGuy: Yeah, well, you know, when you gotta blog, you gotta blog.
[00:52] ptvGuy: Some of us get in too much of a  hurry
[00:53] ptvGuy: Anyway, I don't think that's a bug
[00:54] BasB: So you want some kind of 'username or password incorect' message? To know that you pressed the wrong button or entered the wrong user/pass?
[00:54] ptvGuy: The only possible fix for that would be hiding both the username and password fields
[00:58] ptvGuy: Anyway, I don't think that the problem you have is a bug.
[00:58] jared_: But back to the login bug. I have had this situation occur half a dozen times.
[00:59] jared_: Usually in a program when you sign in, if the name and password are not correct, you are given feed back
[00:59] ptvGuy: Most just pop you back to the login window
[01:00] jared_: In this case the feedback is missing, so if one is in a hurry or not paying strict attention one easily types the password into the visible text area of the name box
[01:00] jared_: I have only noticed this issue in wordpress
[01:01] jared_: In fact it took me quite a few minutes to figure out how to reproduce the issue. It never really made sense and as soon as I was paying attention to the login I didn't have the problem
[01:02] ptvGuy: So you want an incorrect login feedback page forcing you to choose the option to try to log in again?
[01:02] BasB: If you enter a feature request in trac, I'll create a patch that gives a 'Incorrect username or password' notification for it.

[ryan]

wp_login() sets an error message if there is a bad username or password. It does so by setting the global $error var, which is kinda ugly, but it does work.

[ryan]

Ah, hold on. I see that we aren't hitting wp_login() if the password is empty. We shouldn't need the first part of the patch, but the last part is needed. How about if empty checks for both username and password with separate messages for each. Use the same message used in wp_login():

'<strong>Error</strong>: The password field is empty.'

[Nazgul]

Modified patch, based on Ryan's suggestions.

[ryan]

(In [3966]) Give feedback if username or password fields are empty. Props Nazgul. fixes #2901

[ryan]

(In [3967]) Give feedback if username or password fields are empty. Props Nazgul. fixes #2901

[ryan]

(In [3971]) Don't trigger warning when first visiting login. fixes #2901

[ryan]

(In [3972]) Don't trigger warning when first visiting login. fixes #2901

[(none)]

Milestone 2.0.4 deleted