WordPress.org

Make WordPress Core

Opened 6 months ago

Last modified 5 months ago

#43037 new defect (bug)

Login error message "Invalid username. Lost your password?" is confusing

Reported by: afercia Owned by:
Milestone: 5.0 Priority: normal
Severity: normal Version: 2.8
Component: Login and Registration Keywords: has-screenshots has-patch
Focuses: ui, accessibility Cc:

Description

Error messages should always clearly describe the error to allow users determine what is wrong. This is also a WCAG requirement, as recently pointed out in #42985.

When entering an invalid username (or email), the returned error message is Invalid username. Lost your password? (or invalid email address), with a link pointing to the retrieve password page:

https://cldup.com/sh4NF-07iV.png

While this link makes perfectly sense when users enter a wrong password, it doesn't when they enter a wrong username. The error is a wrong username, why I should ever be offered a link to retrieve my password?

Introduced 9 years ago in [10960] see #9442, and then duplicated for the email login in [36617] see #9568.

Attachments (3)

43037.diff (758 bytes) - added by subrataemfluence 5 months ago.
43037-2.diff (665 bytes) - added by subrataemfluence 5 months ago.
user.php (94.9 KB) - added by zalak151291 5 months ago.

Download all attachments as: .zip

Change History (11)

#1 @afercia
6 months ago

/cc @johnbillion @voldemortensen

#2 @subrataemfluence
5 months ago

  • Keywords has-patch added

Since self hosted WordPress does not really provide any inbuilt functionality for retrieving username/email address, "Lost your password" link is not feasible as @afercia has mentioned already. Hence, we might take out that Forgot Password link completely when WordPress checks for wrong username or email address. The issue still persists in current stable version (4.9.1) as well.

I have uploaded a diff. Let me know if that makes any sense.

Thank you!

This ticket was mentioned in Slack in #accessibility by afercia. View the logs.


5 months ago

#4 @afercia
5 months ago

  • Milestone changed from Awaiting Review to 5.0

#5 in reply to: ↑ description ; follow-up: @SergeyBiryukov
5 months ago

Replying to afercia:

While this link makes perfectly sense when users enter a wrong password, it doesn't when they enter a wrong username. The error is a wrong username, why I should ever be offered a link to retrieve my password?

I think it still makes sense when they enter a wrong username. If a user only remembers the email address, password reset email can be used to remember the correct username (the email contains the site name and the username).

Same for "Invalid email address" error, if a user only remembers the username, they can use the password reset form and then check their inboxes to find where the email went.

Maybe the link text could be changed to something else (e.g. "Lost your username?", "Recover account", "Try password reset"), but I think the link should stay. There's already a "Lost your password?" link below the form, but it's not very noticeable, and getting an error message without any hint for a resolution is not very user-friendly :)

Replying to subrataemfluence:

Since self hosted WordPress does not really provide any inbuilt functionality for retrieving username/email address

It does allow you to see the username in the password reset email if you remember the email address.

Last edited 5 months ago by SergeyBiryukov (previous) (diff)

#6 @afercia
5 months ago

@SergeyBiryukov good points! I've just checked the text of the reset password email and it does contain the username:

Someone has requested a password reset for the following account:

Site Name: My Site

Username: myusername

If this was a mistake, just ignore this email and nothing will happen.

To reset your password, visit the following address:

<http://example.org/wp-login.php?action=rp&key={some key here}&login=myusername>

Then, I'd completely agree with you the link text and any other reference to "password reset" or "new password" should be changed, because this is not just a password reset: it sends you also your username :)

At this point, also the text displayed on ?action=lostpassword should be dynamic and differentiate the two cases: Document title: Lost Password Notice text:

Please enter your username or email address. You will receive a link to create a new password via email.
  • can't remember username? The document title should not mention the password and the text should be something like:
    Please enter your email address. You will receive an email with your username and a link to create a new password.
    
  • can't remember password? OK as is.

#7 @afercia
5 months ago

Three cases actually... :)

Same for "Invalid email address" error, if a user only remembers the username,

#8 in reply to: ↑ 5 @subrataemfluence
5 months ago

Replying to SergeyBiryukov:

You are right. If a user forgets both Username and Email address, it would be a complete mess!

I have uploaded a modified diff file which uses specific error messages for Username and Email address.

Replying to afercia:

While this link makes perfectly sense when users enter a wrong password, it doesn't when they enter a wrong username. The error is a wrong username, why I should ever be offered a link to retrieve my password?

I think it still makes sense when they enter a wrong username. If a user only remembers the email address, password reset email can be used to remember the correct username (the email contains the site name and the username).

Same for "Invalid email address" error, if a user only remembers the username, they can use the password reset form and then check their inboxes to find where the email went.

Maybe the link text could be changed to something else (e.g. "Lost your username?", "Recover account", "Try password reset"), but I think the link should stay. There's already a "Lost your password?" link below the form, but it's not very noticeable, and getting an error message without any hint for a resolution is not very user-friendly :)

Replying to subrataemfluence:

Since self hosted WordPress does not really provide any inbuilt functionality for retrieving username/email address

It does allow you to see the username in the password reset email if you remember the email address.

@zalak151291
5 months ago

Note: See TracTickets for help on using tickets.