Make WordPress Core

Opened 7 years ago

Closed 5 years ago

Last modified 3 years ago

#43037 closed defect (bug) (fixed)

Login error message "Invalid username. Lost your password?" is confusing

Reported by: afercia's profile afercia Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.3 Priority: normal
Severity: normal Version: 2.8
Component: Login and Registration Keywords: has-screenshots has-patch has-copy-review
Focuses: ui, accessibility Cc:

Description

Error messages should always clearly describe the error to allow users determine what is wrong. This is also a WCAG requirement, as recently pointed out in #42985.

When entering an invalid username (or email), the returned error message is Invalid username. Lost your password? (or invalid email address), with a link pointing to the retrieve password page:

https://cldup.com/sh4NF-07iV.png

While this link makes perfectly sense when users enter a wrong password, it doesn't when they enter a wrong username. The error is a wrong username, why I should ever be offered a link to retrieve my password?

Introduced 9 years ago in [10960] see #9442, and then duplicated for the email login in [36617] see #9568.

Attachments (6)

43037.diff (758 bytes) - added by subrataemfluence 7 years ago.
43037-2.diff (665 bytes) - added by subrataemfluence 7 years ago.
user.php (94.9 KB) - added by zalak151291 7 years ago.
43037.3.diff (1.0 KB) - added by ryokuhi 5 years ago.
Clarifies error messages in login page when the user enters invalid username or email address.
43037.3.diff Login screen.jpg (202.7 KB) - added by ryokuhi 5 years ago.
Login screen after 43037.3.diff patch
43037.2.diff (832 bytes) - added by afercia 5 years ago.

Download all attachments as: .zip

Change History (55)

#1 @afercia
7 years ago

/cc @johnbillion @voldemortensen

#2 @subrataemfluence
7 years ago

  • Keywords has-patch added

Since self hosted WordPress does not really provide any inbuilt functionality for retrieving username/email address, "Lost your password" link is not feasible as @afercia has mentioned already. Hence, we might take out that Forgot Password link completely when WordPress checks for wrong username or email address. The issue still persists in current stable version (4.9.1) as well.

I have uploaded a diff. Let me know if that makes any sense.

Thank you!

This ticket was mentioned in Slack in #accessibility by afercia. View the logs.


7 years ago

#4 @afercia
7 years ago

  • Milestone changed from Awaiting Review to 5.0

#5 in reply to: ↑ description ; follow-up: @SergeyBiryukov
7 years ago

Replying to afercia:

While this link makes perfectly sense when users enter a wrong password, it doesn't when they enter a wrong username. The error is a wrong username, why I should ever be offered a link to retrieve my password?

I think it still makes sense when they enter a wrong username. If a user only remembers the email address, password reset email can be used to remember the correct username (the email contains the site name and the username).

Same for "Invalid email address" error, if a user only remembers the username, they can use the password reset form and then check their inboxes to find where the email went.

Maybe the link text could be changed to something else (e.g. "Lost your username?", "Recover account", "Try password reset"), but I think the link should stay. There's already a "Lost your password?" link below the form, but it's not very noticeable, and getting an error message without any hint for a resolution is not very user-friendly :)

Replying to subrataemfluence:

Since self hosted WordPress does not really provide any inbuilt functionality for retrieving username/email address

It does allow you to see the username in the password reset email if you remember the email address.

Last edited 7 years ago by SergeyBiryukov (previous) (diff)

#6 @afercia
7 years ago

@SergeyBiryukov good points! I've just checked the text of the reset password email and it does contain the username:

Someone has requested a password reset for the following account:

Site Name: My Site

Username: myusername

If this was a mistake, just ignore this email and nothing will happen.

To reset your password, visit the following address:

<http://example.org/wp-login.php?action=rp&key={some key here}&login=myusername>

Then, I'd completely agree with you the link text and any other reference to "password reset" or "new password" should be changed, because this is not just a password reset: it sends you also your username :)

At this point, also the text displayed on ?action=lostpassword should be dynamic and differentiate the two cases:
Document title: Lost Password
Notice text:

Please enter your username or email address. You will receive a link to create a new password via email.
  • can't remember username? The document title should not mention the password and the text should be something like:
    Please enter your email address. You will receive an email with your username and a link to create a new password.
    
  • can't remember password? OK as is.

#7 @afercia
7 years ago

Three cases actually... :)

Same for "Invalid email address" error, if a user only remembers the username,

#8 in reply to: ↑ 5 @subrataemfluence
7 years ago

Replying to SergeyBiryukov:

You are right. If a user forgets both Username and Email address, it would be a complete mess!

I have uploaded a modified diff file which uses specific error messages for Username and Email address.

Replying to afercia:

While this link makes perfectly sense when users enter a wrong password, it doesn't when they enter a wrong username. The error is a wrong username, why I should ever be offered a link to retrieve my password?

I think it still makes sense when they enter a wrong username. If a user only remembers the email address, password reset email can be used to remember the correct username (the email contains the site name and the username).

Same for "Invalid email address" error, if a user only remembers the username, they can use the password reset form and then check their inboxes to find where the email went.

Maybe the link text could be changed to something else (e.g. "Lost your username?", "Recover account", "Try password reset"), but I think the link should stay. There's already a "Lost your password?" link below the form, but it's not very noticeable, and getting an error message without any hint for a resolution is not very user-friendly :)

Replying to subrataemfluence:

Since self hosted WordPress does not really provide any inbuilt functionality for retrieving username/email address

It does allow you to see the username in the password reset email if you remember the email address.

@zalak151291
7 years ago

This ticket was mentioned in Slack in #accessibility by rianrietveld. View the logs.


6 years ago

#10 @afercia
6 years ago

  • Milestone changed from 5.0 to 4.9.9

Discussed during today's accessibility bug-scrub an agreed to try this for 4.9.9 consideration.

#11 @SergeyBiryukov
6 years ago

  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#12 @pento
6 years ago

  • Milestone changed from 4.9.9 to 5.0.1

#13 @pento
6 years ago

  • Milestone changed from 5.0.1 to 5.0.2

#14 @pento
6 years ago

  • Milestone changed from 5.0.2 to 5.0.3

#15 @audrasjb
6 years ago

  • Milestone changed from 5.0.3 to 5.1

Hi,

Since 5.0.3 is going to be released in few days and as the ticket still needs review and commit, let's address this one in 5.1, coming next month.

#16 @pento
6 years ago

  • Milestone changed from 5.1 to 5.2

I'm not wild about the proposed changes. I'm fine with us changing this string, but it needs better wording.

This ticket was mentioned in Slack in #accessibility by afercia. View the logs.


6 years ago

#18 @joedolson
6 years ago

This text needs revising, and the target reset password form should also convey to the user what information they will receive in addition to their new password.

#19 @SergeyBiryukov
6 years ago

  • Milestone changed from 5.2 to 5.3

Missed the 5.2 Beta 1 deadline, moving to 5.3.

This ticket was mentioned in Slack in #accessibility by afercia. View the logs.


6 years ago

#21 @ramiy
6 years ago

Related: #35736

Replace 'Lost Password' phrase with 'Reset Password'

This ticket was mentioned in Slack in #accessibility by audrasjb. View the logs.


5 years ago

#23 follow-ups: @audrasjb
5 years ago

  • Keywords needs-copy-review added

Are we fine with "Recover" wording? Should we rather user "Reset"?

#24 in reply to: ↑ 23 @marybaum
5 years ago

  • Keywords has-copy-review added; needs-copy-review removed

Replying to audrasjb:

Are we fine with "Recover" wording? Should we rather user "Reset"?

My first choice is

Get help with login.

Second would be

Reset login information.

Covers all cases, is brief and doesn't make user feel stupid -- a big source of my users, anyway, losing their creds in the first place.

#25 in reply to: ↑ 23 @ramiy
5 years ago

Replying to audrasjb:

Are we fine with "Recover" wording? Should we rather user "Reset"?

In most cases we use "Reset Password". Core does not use "Recover Password", but it sound better then "Lost your password?".

In any case, the only place we use "Recover" wording is the "Recovery Mode".

#26 @afercia
5 years ago

Worth noting the original issue on this ticket is mainly about the invalid username / email message and secondly about the reset password link.

The point is: when users enter a wrong username the error message is:

ERROR: Invalid username. Lost your password?

When they enter a wrong email it's:

ERROR: Invalid email address. Lost your password?

In both cases, the error mentions the username or the email while the only option provided by the user interface is a "Lost your password?" link:

  • the link Lost your password? seems unrelated to errors about username / email
  • nothing informs users that, if they entered a wrong username, they can try with their email or vice-versa
  • nothing explains users that the reset email they will receive contains also the username
  • nothing informs users that usernames can't be changed anyways (emails can be changed)

Overall, the wording of the username/email error message and the wording of the Lost your password? link don't fully describe what the next steps for users are.

This issue was discussed a bit more in depth during yesterday's extra accessibility bug-scrub focused on the WordPress 5.3 release. The general feedback was that some better wording could greatly help. For example: changing the lost password link a more generic sentence. Here's a couple options:

  • Retrieve your login data
  • Get help with login

However, I'd tend to think this issue deserves some more thinking. Let's go through the possible scenarios:

case 1

  • enter a wrong username
  • I get the message ERROR: Invalid username. Lost your password?
  • nothing informs me I can use my email to log in
  • click on Lost your password? because it's the only option
  • I'm asked for my email (which I can actually use to log in)
  • I get an email which contains my username and a link to reset the password
  • click the link
  • enter new password etc.
  • result: I was able to retrieve my username, though the process didn't inform me properly and forced me to change my password

case 2

  • enter a wrong email
  • I get the message ERROR: Invalid email address. Lost your password?
  • nothing informs me I can use my username to log in
  • click on Lost your password? because it's the only option
  • I'm asked for... my email but I can't remember my email: dead end

case 3

  • enter a wrong password
  • OK this works :)

case 4

  • enter both a wrong username/email and a wrong password
  • note: the user interface displays only the Invalid username message first
  • a mix of the above cases

Basically, cases 1 and 2 could be improved.

Seems to me there's no point in displaying the reset password link when the username or email are wrong. While it is true that the reset email contains the username, there's really no "retrieve username" or "retrieve email" option. To get the reset email, users have to remember at least their email which can already be used to log in. This case would need to be better explained.

Pretending I'm not missing anything, I'd like to propose to remove the reset password link from the username and email error messages:

ERROR: Invalid username. You can try with your email.
ERROR: Invalid email address. You can try with your username.

The wrong password messages can stay unchanged:

ERROR: The password you entered for the username {your-username} is incorrect. Lost your password?
ERROR: The password you entered for the email address {your-email} is incorrect. Lost your password?

Any feedback very welcome.

Last edited 5 years ago by afercia (previous) (diff)

#27 @afercia
5 years ago

  • Keywords 2nd-opinion added

To clarify (before it gets asked) why WordPress doesn't hide error messages related to the username and why that's not considered "information disclosure", see https://core.trac.wordpress.org/ticket/3708#comment:3 and all the following tickets closed as "wontfix", for example #4290.

#28 @ryokuhi
5 years ago

I agree with @afercia on pretty everything.

A couple more points worth noting to me.

1) In order to login, apart from the password, users need to know either the username or the email address. As long as they remember their password, they can find both the username and the password in their profile page. As such, users don't really need the email with the password reset link, not even to retrieve their username.

2) In my experience, the most common cause for a wrong username or email address is a typo. As such, the first advice a user should get is simply to try again. This is how I would rephrase error messages:

ERROR: Invalid username. Try again, you can also use your email address.
ERROR: Invalid email address. Try again, you can also use your username.

with no links to other pages. Such lines of text should be easily understandable to all and are quite short, so they don't break the UI.

I can rewrite the patch if needed.

Version 0, edited 5 years ago by ryokuhi (next)

#29 @afercia
5 years ago

Good point @ryokuhi! The "retry" part makes sense to me.

#30 @afercia
5 years ago

I can rewrite the patch if needed.

@ryokuhi do feel free to go ahead :)

@ryokuhi
5 years ago

Clarifies error messages in login page when the user enters invalid username or email address.

@ryokuhi
5 years ago

Login screen after 43037.3.diff patch

#31 @ryokuhi
5 years ago

I wrote the patch and added the screenshots of the login page when new error messages are displayed.

In my opinion, there are some inconsistences in capitalization that should be solved before committing. The whole form uses title case, while the error messages use sentence case. There are two ways to solve this issue:

  • capitalize Username and Email Address in the error message (quick fix);
  • switch to sentence case in the form (needs a bit more time).

I tend to think that title case is more difficult to read, so I'm more inclined towards changing the form instead. Checking for other tickets about capitalitazion, I found #47298 (already closed and included in 5.3 Beta 1) where, in a similar situation, it's stated that sentence case is more favorable in general. Maybe a discussion about capitalization style across the entire WordPress interface should be started in a new ticket.

As a side note about capitalitazion and the login form, I think that writing ERROR in all caps isn't particularly user friendly. Since Error is already included in a strong tag, capitalizing the first letter may be enough. As there are different ways to show error messages across the WordPress interface, reviewing and uniforming them might also be worth of a new ticket.

Last edited 5 years ago by ryokuhi (previous) (diff)

This ticket was mentioned in Slack in #accessibility by audrasjb. View the logs.


5 years ago

This ticket was mentioned in Slack in #core by david.baumwald. View the logs.


5 years ago

This ticket was mentioned in Slack in #core by afercia. View the logs.


5 years ago

#35 @markjaquith
5 years ago

Cleaning up the wording a bit:

Invalid email address. Try again, or enter a username instead.

Invalid username. Try again, or enter an email address instead.

#36 @chanthaboune
5 years ago

I would love for this to be a little more friendly, since the rest of that page looks so friendly! I've shared a few options below, so take your pick (or mix and match as needed).

"I don't recognize that username. Check for errors or use your email address!"
"I don't recognize that email address. Check for errors or use your username!"

"ERROR: Invalid username. Check again or try your email address!"
"ERROR: Invalid email address. Check again or try your username!"

"Unknown username. Try again or use your email address."
"Unknown email address. Try again or use your username."

#37 @markjaquith
5 years ago

I definitely prefer "unknown" over "invalid". It's more accurate, as well as being friendlier!

I don't like "I don't recognize" — where else does WordPress talk to you like a being?

These seem fine:

Unknown username. Check again or try your email address.

Unknown email address. Check again or try your username.

#38 @ryokuhi
5 years ago

Thanks to both @chanthaboune and @markjaquith for your feedback.
Taking what I think is the best from all the proposed texts, I'd suggest using the following messages:

ERROR: Unknown username. Try again or enter your email address instead.
ERROR: Unknown email address. Try again or enter your username instead.

We have to keep "ERROR: " at the beginning of the error message: otherwise, the fact that the notification is an error would be conveyed only by the red bar on the left and that would be a violation of https://www.w3.org/WAI/WCAG21/quickref/?versions=2.0#use-of-color.

Any feedback about this copy would be greatly appreciated, but since Beta 3 (and soft string freeze) is next Monday, it has to be very quick, so that there's time for writing, reviewing and commiting the patch.

As there was no feedback on how to deal with capitalization issues in the login form, I'd suggest to keep everything as it currently is and then open a new ticket to fix these in a future release.

This ticket was mentioned in Slack in #accessibility by audrasjb. View the logs.


5 years ago

#40 @audrasjb
5 years ago

  • Keywords needs-refresh added

That's a +1 on my side, though we could avoid to capitalize "Error".
Not sure the word "Error" is even needed in this message. I think we could keep the two previous proposals:

Unknown username. Check again or try your email address.
Unknown email address. Check again or try your username.

#41 @joedolson
5 years ago

I’m fine with the proposal as it is. However, while I think that adding the word ‘error’ can add clarity, it's not actually required.

I’m not convinced that the use of the color red in this case is meaningful - that is, a user does not need to know that the error is highlighted in red to realize this an error. That’s conveyed by the text, and by the fact you weren’t logged in.

#42 @afercia
5 years ago

I'd agree users don't necessarily need to know whether it's an error, warning, or info :) They need proper feedback and guidance for remediation.

Regarding the other occurrences in core of the all caps ERROR I'd propose to open a new ticket: all caps should be avoided for better readability and because screen readers may pronounce all caps as abbreviations. Noting there are inconsistencies in core: sometimes ERROR is all caps, sometimes it's sentence case, sometimes it's bold, sometimes the entire error message is bold. The most recently added ones (PHP compatibility and SIte Health) seem to use sentence case.
A few examples:

<strong>ERROR:</strong> There was an error connecting to the server ...
<strong>Error:</strong> Current WordPress and PHP versions do not meet ...
<strong>Error:</strong> This plugin <strong>requires a newer version of PHP</strong>.
<strong>' . __( 'ERROR: The network could not be created.' ) . '</strong>

@afercia
5 years ago

#43 @afercia
5 years ago

  • Keywords commit added; 2nd-opinion needs-refresh removed

43037.2.diff updates the strings to the new ones:

Unknown username. Check again or try your email address.
Unknown email address. Check again or try your username.

Keeps all the other ones unchanged: some of them still use the all caps 'ERROR'. Ideally, 'ERROR' should be removed from anywhere but I guess not at this point of the release cycle (Beta 3).

#44 @afercia
5 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 46417:

Accessibility: Login and Registration: Improve the invalid username and invalid email messages.

  • explicitly informs users they can use their email to log in as an alternative to their username and vice-versa
  • shows the Lost your password? link only when an wrong password has been entered
  • uses a more appropriate copy by changing "invalid" to "unknown"
  • removes the all caps ERROR

Props subrataemfluence, zalak151291, ryokuhi, SergeyBiryukov, audrasjb, joedolson, marybaum, ramiy, markjaquith, chanthaboune, afercia.
Fixes #43037.

#45 @afercia
5 years ago

  • Keywords commit removed

#46 @SergeyBiryukov
5 years ago

In 47156:

Accessibility: Text Changes: Use sentence case for the word Error in various error messages, instead of all caps.

Using all caps should be avoided for better readability and because screen readers may pronounce all-caps words as abbreviations.

Props afercia, ryokuhi, sabernhardt, garrett-eclipse.
See #47656, #43037, #42945.

#47 @afercia
4 years ago

In 48059:

I18N: Remove the "Error:" prefix from error messages.

For a number of years, most of the WordPress error messages have been prefixed with "Error:". However, these messages appear in a context where it's already clear an error occurred. Whether it's an error, a warning, or any other classification, that's not so relevant for users. The content of the message is the relevant part. The "Error:" prefix doesn't add great value while it does add unnecessary complexity for the message readability.

Also, revises some of these messages to improve clarity and removes HTML from translatable strings.

Props garrett-eclipse, ramiy, SergeyBiryukov, afercia, sabernhardt, quadthemes, audrasjb.
See #47003, #43037, #42945, #15887.
Fixes #47656.

#48 @johnjamesjacoby
4 years ago

Originally, the reason these messages were intentionally vague is to prevent leaking hints during brute-force attacks to wp-login.php about which usernames & email addresses were valid in the system.

This is relatively common practice among websites that allow for open registration, even ones (like WordPress) where the username is considered public. Sure, we can all guess that admin is the default username, but WordPress allows for the default username to be set on new site creation as another way to mitigate a similar attack.

In WordPress, this is partially why user_login and user_nicename are 2 different fields in the database (though are largely treated as interchangeable externally) - to provide the option of having anonymized logins and/or URI friendly versions of more complex logins (think LDAP, which is still a huge WordPress integration).

Perhaps over the years, leaking this type of information has become less of a concern, but I didn't see that counterpoint raised here, so I thought I would mention it.

Related, both BuddyPress and bbPress have similarly vague messaging thanks to following WordPress' lead. If this is a design compromise that is now willing to be made as a way to improve general user-experience with WordPress, it would be best if BuddyPress and bbPress followed suit. Bonus: it would be best if these strings were reusable (maybe even filterable) so that plugins could inherit them easily and without requiring manual code changes going forward.

Last edited 4 years ago by johnjamesjacoby (previous) (diff)

This ticket was mentioned in Slack in #core by desrosj. View the logs.


3 years ago

Note: See TracTickets for help on using tickets.