Last modified: 2014-11-17 09:21:17 UTC
A Wikipedia editor who has been signing in regularly for the last 4 years took several hours and a support request to a sysadmin to work out that he was meant to be typing a response to the post-badlogin captcha. He thought that it was just for signup.
The error message used for a captcha mismatch on login is wfMsg('wrongpassword'), typically edited via the MediaWiki namespace on wikis where the ConfirmEdit extension is used to say something vague like "Incorrect password or confirmation code entered. Please try again."
* A separate message for captcha mismatch on login, "try again"
* A separate message for blank captcha input, "you forgot to answer this challenge"
* Visual means to draw attention to the captcha on mismatch, such as a red border or background colour.
I was just going to file the same bug. On some wikis, 'wrongpassword' just says "wrong password entered" which is clearly wrong when it's a captcha mismatch.
Two separate messages for captcha mismatch, one for blank entries, is the way to go. A css change to highlight the captcha would also be a good idea -- the same css could be used to highlight required fields that aren't entered (say, on userlogin when not entering a password twice, or when asking for 'by email' and not entering an email).
*** Bug 18798 has been marked as a duplicate of this bug. ***
This is apparently intentional to avoid giving information to attackers (https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/extensions/ConfirmEdit.git;a=blob;f=Captcha.php;h=2d6afbf6d2bb99491d89b341054014e6764b09e3;hb=refs/heads/master#l535).
That doesn't mean it's worth it, though.
(In reply to comment #3)
> This is apparently intentional to avoid giving information to attackers
> That doesn't mean it's worth it, though.
The commit message was: "Add captcha support for triggering a captcha after a bad password attempt. Legit users shouldn't be inconvenienced much, but password-guesser bots will be severely speedbumped."
The premise was incorrect. Legitimate users are inconvenienced.