A Wikipedia editor who has been signing in regularly for the last 4 years took several hours and a support request to a sysadmin to work out that he was meant to be typing a response to the post-badlogin captcha. He thought that it was just for signup.
The error message used for a captcha mismatch on login is wfMsg('wrongpassword'), typically edited via the MediaWiki namespace on wikis where the ConfirmEdit extension is used to say something vague like "Incorrect password or confirmation code entered. Please try again."
I suggest:
- A separate message for captcha mismatch on login, "try again"
- A separate message for blank captcha input, "you forgot to answer this challenge"
- Visual means to draw attention to the captcha on mismatch, such as a red border or background colour.
Version: unspecified
Severity: normal