Last modified: 2014-11-17 09:21:17 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 12206 - Vague error on captcha mismatch during login
Vague error on captcha mismatch during login
Status: NEW
Product: MediaWiki extensions
Classification: Unclassified
ConfirmEdit (CAPTCHA extension) (Other open bugs)
All All
: Low normal with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
: 18798 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2007-12-05 05:14 UTC by Tim Starling
Modified: 2014-11-17 09:21 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Tim Starling 2007-12-05 05:14:52 UTC
A Wikipedia editor who has been signing in regularly for the last 4 years took several hours and a support request to a sysadmin to work out that he was meant to be typing a response to the post-badlogin captcha. He thought that it was just for signup. 

The error message used for a captcha mismatch on login is wfMsg('wrongpassword'), typically edited via the MediaWiki namespace on wikis where the ConfirmEdit extension is used to say something vague like "Incorrect password or confirmation code entered. Please try again."

I suggest: 
* A separate message for captcha mismatch on login, "try again"
* A separate message for blank captcha input, "you forgot to answer this challenge"
* Visual means to draw attention to the captcha on mismatch, such as a red border or background colour.
Comment 1 SJ 2007-12-13 06:02:02 UTC
I was just going to file the same bug.  On some wikis, 'wrongpassword' just says "wrong password entered" which is clearly wrong when it's a captcha mismatch.

Two separate messages for captcha mismatch, one for blank entries, is the way to go.  A css change to highlight the captcha would also be a good idea -- the same css could be used to highlight required fields that aren't entered (say, on userlogin when not entering a password twice, or when asking for 'by email' and not entering an email).
Comment 2 Tim Starling 2009-05-19 06:06:42 UTC
*** Bug 18798 has been marked as a duplicate of this bug. ***
Comment 3 Matthew Flaschen 2013-04-22 23:18:37 UTC
This is apparently intentional to avoid giving information to attackers (;a=blob;f=Captcha.php;h=2d6afbf6d2bb99491d89b341054014e6764b09e3;hb=refs/heads/master#l535).

That doesn't mean it's worth it, though.
Comment 4 Tim Starling 2013-04-22 23:44:09 UTC
(In reply to comment #3)
> This is apparently intentional to avoid giving information to attackers
> (
> git;a=blob;f=Captcha.php;h=2d6afbf6d2bb99491d89b341054014e6764b09e3;hb=refs/
> heads/master#l535).
> That doesn't mean it's worth it, though.

The commit message was: "Add captcha support for triggering a captcha after a bad password attempt. Legit users shouldn't be inconvenienced much, but password-guesser bots will be severely speedbumped."

The premise was incorrect. Legitimate users are inconvenienced.

Note You need to log in before you can comment on or make changes to this bug.