[wp-trac] [WordPress Trac] #9568: Allow users to log in using their email address
WordPress Trac
noreply at wordpress.org
Tue Jan 19 14:58:15 UTC 2016
#9568: Allow users to log in using their email address
---------------------------------------------------+-----------------------
Reporter: Denis-de-Bernardy | Owner:
Type: feature request | Status: assigned
Priority: normal | Milestone: 4.5
Component: Users | Version: 2.8
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests dev-feedback | Focuses:
---------------------------------------------------+-----------------------
Comment (by ryan):
The security team discussed this here (a rare private channel, sorry):
https://wordpress.slack.com/archives/security/p1453132031000512
I'll summarize.
otto42 did a survey of other sites. They all leak.
Facebook: "The email you’ve entered doesn’t match any account. Sign up for
an account."
gmail: "Sorry, Google doesn't recognize that email. Create an account
using that address?"
iCloud: "xxxx at yyyy.com is not an Apple ID"
Microsoft: "That Microsoft account doesn't exist. Enter a different
account or get a new one."
He also reminded us that email is discoverable via signup.
https://kev.inburke.com/kevin/invalid-username-or-password-useless/
nacin reminded that these massive sites have network level monitoring and
ways of mitigating brute force. Individual WordPress sites don't have
that. We must keep that in mind when surveying the field.
Log in is important threshold flow that should be friendly as can be.
Given that everyone leaks and that emails are discoverable in other ways,
my inclination is to optimize for usability.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/9568#comment:85>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list