[wp-trac] [WordPress Trac] #45318: Security problem: Login Oracle
WordPress Trac
noreply at wordpress.org
Fri Nov 9 17:29:48 UTC 2018
#45318: Security problem: Login Oracle
--------------------------+------------------------
Reporter: d0rkpress | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Security | Version:
Severity: normal | Resolution: duplicate
Keywords: | Focuses:
--------------------------+------------------------
Comment (by knutsp):
The fact that WordPress usernames practically are public means that
changing the login messages are futile at this point.
Instead of sarcasms, start arguing why WordPress should migrate to
regarding usernames as secrets, in addition to the passwords.
The current behaviour is that the database row ´user_nicename´, which is
used as slug (URL component) in author archives are constructed from the
username (`user_login`) itself. Also usernames cannot be changed. (But all
of this can and are changed by plugins.) Include: How could this change
and why should we bother?
Example pro argument: If a weak password is guessed then it's even easier
to get in if the username is detectable.
Example contra arguments: When passwords are leaked both username and
password will be leaked anyway; requiring https is better; and extra
character in the password is better; and so on.
Please respect that the matter has been discussed many times before.
Include whatever new facts that was not known when the matter was
discussed last time. Be constructive.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45318#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list