Ticket #1129 (closed defect: wontfix)

Opened 3 years ago

Last modified 3 years ago

Don't distinguish between bad login and bad password in error messages

Reported by: anonymousbugger Assigned to: matt
Priority: normal Milestone:
Component: Security Version: 1.5
Severity: minor Keywords:
Cc:

Description

Currently wp-login.php gives different error messages for bad logins and bad passwords. This may be user-friendly but it also helps hackers because it tells them when they have found a valid user name (ie. they can concentrate on the password then). Please give out the same error message for both bad logins and bad passwords.

Attachments

login.patch (1.0 kB) - added by anonymousbugger on 05/21/05 06:36:57.

Change History

03/17/05 21:51:38 changed by anonymousbugger

  • Patch set to No.

03/17/05 23:54:42 changed by ryan

  • status changed from new to assigned.

03/18/05 15:21:59 changed by anonymousbugger

Something similar needs to be done for wp-login.php/retrievepassword, otherwise that can be abused to find valid login names.

03/18/05 15:32:50 changed by matt

  • owner changed from anonymous to matt.
  • status changed from assigned to closed.
  • resolution changed from 10 to 90.

They can figure out usernames a million easier ways.

05/21/05 06:36:57 changed by anonymousbugger

  • attachment login.patch added.