[wp-trac] [WordPress Trac] #45318: Security problem: Login Oracle

WordPress Trac noreply at wordpress.org
Sun Nov 11 15:35:29 UTC 2018 

#45318: Security problem: Login Oracle
------------------------------------+------------------------
 Reporter:  d0rkpress               |       Owner:  (none)
     Type:  defect (bug)            |      Status:  closed
 Priority:  normal                  |   Milestone:
Component:  Login and Registration  |     Version:
 Severity:  normal                  |  Resolution:  duplicate
 Keywords:                          |     Focuses:
------------------------------------+------------------------
Changes (by knutsp):

 * component:  Security => Login and Registration


Comment:

 Both including a "Limit Login Attempts" functionality in core, demanding
 more complex passwords  and implement two factor auth would be both better
 and a lot easier to implement than starting huge rewrite to make usernames
 a secret.

 Starting to look at usernames as secrets will lead to users, and security
 advisors, try to come up with a username as complex as possible, taking
 focus away from really strong passwords and 2FA.

 When user write down or store their credentials, username and password go
 along. When entered, both are submitted at the same time, so if they leak,
 both leak.

 For 15 years with WordPress I have thaught users to select a simple
 username, their first named or a nick they are used to, then focus on
 constructing a unique and complex (strong) password. When logging in, some
 use a wrong username, but the correct password. I have thaught them to
 look at the error message to find which is wrong.

 Many systems have the username as the only display name. I WordPress, no
 matter what username you choose, your display name is independent of it.

 I can support a long time path to make usernames not part of public slugs,
 as there is a nice plugin for. This will gain new users only. For existing
 users, their username may be allowed to change, without affecting the slug
 ("user_nicename"), which needs to be permanent.

 This ticket is starting at the wrong end, except for some discussion, once
 again. Period.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/45318#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list