[wp-testers] Incorrect Username / Incorrect Password
Peter Westwood
peter.westwood at ftwr.co.uk
Wed Apr 2 16:38:32 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
WP Testers List wrote:
| I agree the value could be considered relatively small, but surely if it
| adds any value whatsoever its a bonus? Especially considering the
| simplicity of the change.
|
| I don't see the link between this suggestion and needing to change
| usernames? Sorry if I'm being thick. Surely you're more likely to
need to
| change your username using the current system, because its more likely
that
| someone will be able to successfully guess your login?
the full list of reasons are buried in the trac history of the tickets
that have raised this before.
Pro's of the message
+ Good User Experience
Con's of the message
+ Gives away the existence of a user with that username
Pro's of removing the message
+ One less way to enumerate user id's ....
The point is that there is for every install an admin user by default
and this is the one that is most likely to have rights to everything and
be the one you want to attack.
Also user id's often appear as part of the theme output and in the
permalinks - think author archives etc.
Therefore we are unlikely to accept a patch that _just_ changes the
message as overall it has a negative impact on the end-user.
We would happily accept a patch for a filter on the message (if one
doesn't already exist) to allow a plugin to stop it being output.
westi
- --
Peter Westwood
http://blog.ftwr.co.uk | http://westi.wordpress.com
~ C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFH87aIVPRdzag0AcURAjdyAKDEmYYusle+3C6xzCwqaz2etTjBugCggGBC
EsGC3nmzxydK5/kjQ/dZEbA=
=Xnkd
-----END PGP SIGNATURE-----
More information about the wp-testers
mailing list