You also need to change MediaWiki:Nouserspecified
However: I myself think this is a really bad idea. I remember more than once failing login on one of the several Wikis I have an account for, unsuccessfully cycling through my usual passwords until I finally *read* the error message and noticed I had used the wrong username. You will probably impact legitimate users more than dissuading attackers. Security through obscurity is not a sound plan. If you need additional security against cracking attacks, use a CAPTCHA.
YMMV, Boris
On 1-Dec-07, at 9:56 AM, Emufarmers Sangly wrote:
On Dec 1, 2007 8:31 AM, Keir keirlawson@gmail.com wrote:
Hi, I was wondering if there was any way to change the login error message when a user tries to log in with a correct username but incorrect password to be the same as the error given when they try to log in with an incorrect password? I dont want a potential attacker to be able to know if a username is valid or not.
As a matter of general security practice I would agree with you and suggest that this be changed in the core MediaWiki code, but remember that MediaWiki comes with a publicly-viewable user list, plus user pages that will reveal whether or not a user exists. Unless you've got your wiki on complete lockdown, changing the failed login message would only give you a false sense of security and annoy your users.
At any rate, take a look at MediaWiki:Nosuchuser, MediaWiki:Nosuchusershort, MediaWiki:Wrongpassword, and MediaWiki:Wrongpasswordempty.
-- Arr, ye emus, http://emufarmers.com _______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l