[wp-trac] [WordPress Trac] #43037: Login error message "Invalid username. Lost your password?" is confusing

WordPress Trac noreply at wordpress.org
Tue Jun 16 15:58:55 UTC 2020 

#43037: Login error message "Invalid username. Lost your password?" is confusing
-------------------------------------------------+-------------------------
 Reporter:  afercia                              |       Owner:
                                                 |  SergeyBiryukov
     Type:  defect (bug)                         |      Status:  closed
 Priority:  normal                               |   Milestone:  5.3
Component:  Login and Registration               |     Version:  2.8
 Severity:  normal                               |  Resolution:  fixed
 Keywords:  has-screenshots has-patch has-copy-  |     Focuses:  ui,
  review                                         |  accessibility
-------------------------------------------------+-------------------------

Comment (by johnjamesjacoby):

 Originally, the reason these messages were intentionally vague is to
 prevent leaking hints during brute-force attacks to `wp-login.php` about
 which usernames & email addresses were valid in the system.

 This is relatively common practice among websites that allow for open
 registration, even ones (like WordPress) where the username is considered
 public. Sure, we can all guess that `admin` is the default username, but
 WordPress allows for the default username to be set on new site creation
 as another way to mitigate a similar attack.

 In WordPress, this partially why `user_login` and `user_nicename` are 2
 different fields in the database, though are largely treated as the same
 internally - to provide the option of having anonymized logins and/or URI
 friendly versions of more complex logins.

 Perhaps over the years, leaking this type of information has become less
 of a concern, but I didn't see that counterpoint raised here, so I thought
 I would mention it.

 Related, both BuddyPress and bbPress have similarly vague messaging thanks
 to following WordPress' lead. If this is a design compromise that is now
 willing to be made as a way to improve general user-experience with
 WordPress, it would be best if BuddyPress and bbPress followed suit.
 Bonus: it would be best if these strings were reusable, so that plugins
 could inherit them easily and without requiring manual code changes going
 forward.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/43037#comment:48>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list