Re: Login errors
On Dec 1, 2007 8:31 AM, Keir <keirlawson@...> wrote:
> Hi, I was wondering if there was any way to change the login error message
> when a user tries to log in with a correct username but incorrect password
> to be the same as the error given when they try to log in with an
> password? I dont want a potential attacker to be able to know if a
> is valid or not.
As a matter of general security practice I would agree with you and suggest
that this be changed in the core MediaWiki code, but remember that MediaWiki
comes with a publicly-viewable user list, plus user pages that will reveal
whether or not a user exists. Unless you've got your wiki on complete
lockdown, changing the failed login message would only give you a false
sense of security and annoy your users.
At any rate, take a look at MediaWiki:Nosuchuser, MediaWiki:Nosuchusershort,
MediaWiki:Wrongpassword, and MediaWiki:Wrongpasswordempty.
Arr, ye emus, http://emufarmers.com