Page MenuHomePhabricator
Create Task
Maniphest T14206

Vague error on captcha mismatch during login
Open, LowPublic
Actions

Description

A Wikipedia editor who has been signing in regularly for the last 4 years took several hours and a support request to a sysadmin to work out that he was meant to be typing a response to the post-badlogin captcha. He thought that it was just for signup.

The error message used for a captcha mismatch on login is wfMsg('wrongpassword'), typically edited via the MediaWiki namespace on wikis where the ConfirmEdit extension is used to say something vague like "Incorrect password or confirmation code entered. Please try again."

I suggest:

  • A separate message for captcha mismatch on login, "try again"
  • A separate message for blank captcha input, "you forgot to answer this challenge"
  • Visual means to draw attention to the captcha on mismatch, such as a red border or background colour.

Version: unspecified
Severity: normal

Details

Reference
bz12206

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 9:55 PM
bzimport added a project: ConfirmEdit (CAPTCHA extension).
bzimport set Reference to bz12206.
bzimport added a subscriber: Unknown Object (MLST).
tstarling created this task.Dec 5 2007, 5:14 AM
Sj added a comment.Dec 13 2007, 6:02 AM

I was just going to file the same bug. On some wikis, 'wrongpassword' just says "wrong password entered" which is clearly wrong when it's a captcha mismatch.

Two separate messages for captcha mismatch, one for blank entries, is the way to go. A css change to highlight the captcha would also be a good idea -- the same css could be used to highlight required fields that aren't entered (say, on userlogin when not entering a password twice, or when asking for 'by email' and not entering an email).

tstarling added a comment.May 19 2009, 6:06 AM
  • Bug 18798 has been marked as a duplicate of this bug. ***
Mattflaschen-WMF added a comment.Apr 22 2013, 11:18 PM

This is apparently intentional to avoid giving information to attackers (https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/extensions/ConfirmEdit.git;a=blob;f=Captcha.php;h=2d6afbf6d2bb99491d89b341054014e6764b09e3;hb=refs/heads/master#l535).

That doesn't mean it's worth it, though.

tstarling added a comment.Apr 22 2013, 11:44 PM

(In reply to comment #3)

This is apparently intentional to avoid giving information to attackers
(https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/extensions/ConfirmEdit.
git;a=blob;f=Captcha.php;h=2d6afbf6d2bb99491d89b341054014e6764b09e3;hb=refs/
heads/master#l535).

That doesn't mean it's worth it, though.

The commit message was: "Add captcha support for triggering a captcha after a bad password attempt. Legit users shouldn't be inconvenienced much, but password-guesser bots will be severely speedbumped."

The premise was incorrect. Legitimate users are inconvenienced.

Tgr subscribed.Nov 3 2017, 5:33 AM

The really nasty part is that if you hit the captcha throttle you will still get wrongpassword, even if both the password and the captcha are correct.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL