[Mediawiki-l] Login errors
Boris Steipe
boris.steipe at utoronto.ca
Sat Dec 1 16:49:17 UTC 2007
You also need to change MediaWiki:Nouserspecified
However: I myself think this is a really bad idea. I remember more
than once failing login on one of the several Wikis I have an account
for, unsuccessfully cycling through my usual passwords until I
finally *read* the error message and noticed I had used the wrong
username. You will probably impact legitimate users more than
dissuading attackers. Security through obscurity is not a sound plan.
If you need additional security against cracking attacks, use a CAPTCHA.
YMMV,
Boris
On 1-Dec-07, at 9:56 AM, Emufarmers Sangly wrote:
> On Dec 1, 2007 8:31 AM, Keir <keirlawson at gmail.com> wrote:
>
>> Hi, I was wondering if there was any way to change the login error
>> message
>> when a user tries to log in with a correct username but incorrect
>> password
>> to be the same as the error given when they try to log in with an
>> incorrect
>> password? I dont want a potential attacker to be able to know if a
>> username
>> is valid or not.
>
> As a matter of general security practice I would agree with you and
> suggest
> that this be changed in the core MediaWiki code, but remember that
> MediaWiki
> comes with a publicly-viewable user list, plus user pages that will
> reveal
> whether or not a user exists. Unless you've got your wiki on complete
> lockdown, changing the failed login message would only give you a
> false
> sense of security and annoy your users.
>
> At any rate, take a look at MediaWiki:Nosuchuser,
> MediaWiki:Nosuchusershort,
> MediaWiki:Wrongpassword, and MediaWiki:Wrongpasswordempty.
>
>
> --
> Arr, ye emus, http://emufarmers.com
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l at lists.wikimedia.org
> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
More information about the MediaWiki-l
mailing list