[wp-trac] [WordPress Trac] #14575: Potentially misleading error message for incorrect_password login error
WordPress Trac
wp-trac at lists.automattic.com
Thu Aug 12 09:35:00 UTC 2010
#14575: Potentially misleading error message for incorrect_password login error
--------------------------+-------------------------------------------------
Reporter: mdawaffe | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.1
Component: UI | Version: 3.0.1
Severity: minor | Keywords: has-patch
--------------------------+-------------------------------------------------
Comment(by GamajoTech):
matt - would that not be a slight security issue, in that your error
message would at least be confirming that such a username exists?
At least with "The username or password you entered is incorrect." any
brute force attack still has two elements to get correct at the same time
- why make it easy and confirm that one of them is correct?
--------------
Offering my own counter-argument, the username could probably be confirmed
as existing from the Forgot Password feature - in which case, the benefit
of not making the error messages distinct to make attacks harder is lost
against the negative impact on usability of log in attempts from valid
users.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/14575#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list