Last modified: 2014-11-17 09:21:17 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T14206, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 12206 - Vague error on captcha mismatch during login
Vague error on captcha mismatch during login
Status: NEW
Product: MediaWiki extensions
Classification: Unclassified
ConfirmEdit (CAPTCHA extension) (Other open bugs)
unspecified
All All
: Low normal with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
:
: 18798 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-05 05:14 UTC by Tim Starling
Modified: 2014-11-17 09:21 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Tim Starling 2007-12-05 05:14:52 UTC
A Wikipedia editor who has been signing in regularly for the last 4 years took several hours and a support request to a sysadmin to work out that he was meant to be typing a response to the post-badlogin captcha. He thought that it was just for signup. 

The error message used for a captcha mismatch on login is wfMsg('wrongpassword'), typically edited via the MediaWiki namespace on wikis where the ConfirmEdit extension is used to say something vague like "Incorrect password or confirmation code entered. Please try again."

I suggest: 
* A separate message for captcha mismatch on login, "try again"
* A separate message for blank captcha input, "you forgot to answer this challenge"
* Visual means to draw attention to the captcha on mismatch, such as a red border or background colour.
Comment 1 SJ 2007-12-13 06:02:02 UTC
I was just going to file the same bug.  On some wikis, 'wrongpassword' just says "wrong password entered" which is clearly wrong when it's a captcha mismatch.

Two separate messages for captcha mismatch, one for blank entries, is the way to go.  A css change to highlight the captcha would also be a good idea -- the same css could be used to highlight required fields that aren't entered (say, on userlogin when not entering a password twice, or when asking for 'by email' and not entering an email).
Comment 2 Tim Starling 2009-05-19 06:06:42 UTC
*** Bug 18798 has been marked as a duplicate of this bug. ***
Comment 3 Matthew Flaschen 2013-04-22 23:18:37 UTC
This is apparently intentional to avoid giving information to attackers (https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/extensions/ConfirmEdit.git;a=blob;f=Captcha.php;h=2d6afbf6d2bb99491d89b341054014e6764b09e3;hb=refs/heads/master#l535).

That doesn't mean it's worth it, though.
Comment 4 Tim Starling 2013-04-22 23:44:09 UTC
(In reply to comment #3)
> This is apparently intentional to avoid giving information to attackers
> (https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/extensions/ConfirmEdit.
> git;a=blob;f=Captcha.php;h=2d6afbf6d2bb99491d89b341054014e6764b09e3;hb=refs/
> heads/master#l535).
> 
> That doesn't mean it's worth it, though.

The commit message was: "Add captcha support for triggering a captcha after a bad password attempt. Legit users shouldn't be inconvenienced much, but password-guesser bots will be severely speedbumped."

The premise was incorrect. Legitimate users are inconvenienced.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links