WordPress.org

Make WordPress Core

Opened 22 months ago

Closed 4 weeks ago

Last modified 4 weeks ago

#43037 closed defect (bug) (fixed)

Login error message "Invalid username. Lost your password?" is confusing

Reported by: afercia Owned by: SergeyBiryukov
Milestone: 5.3 Priority: normal
Severity: normal Version: 2.8
Component: Login and Registration Keywords: has-screenshots has-patch has-copy-review
Focuses: ui, accessibility Cc:
PR Number:

Description

Error messages should always clearly describe the error to allow users determine what is wrong. This is also a WCAG requirement, as recently pointed out in #42985.

When entering an invalid username (or email), the returned error message is Invalid username. Lost your password? (or invalid email address), with a link pointing to the retrieve password page:

https://cldup.com/sh4NF-07iV.png

While this link makes perfectly sense when users enter a wrong password, it doesn't when they enter a wrong username. The error is a wrong username, why I should ever be offered a link to retrieve my password?

Introduced 9 years ago in [10960] see #9442, and then duplicated for the email login in [36617] see #9568.

Attachments (6)

43037.diff (758 bytes) - added by subrataemfluence 22 months ago.
43037-2.diff (665 bytes) - added by subrataemfluence 22 months ago.
user.php (94.9 KB) - added by zalak151291 22 months ago.
43037.3.diff (1.0 KB) - added by ryokuhi 6 weeks ago.
Clarifies error messages in login page when the user enters invalid username or email address.
43037.3.diff Login screen.jpg (202.7 KB) - added by ryokuhi 6 weeks ago.
Login screen after 43037.3.diff patch
43037.2.diff (832 bytes) - added by afercia 4 weeks ago.

Download all attachments as: .zip

Change History (51)

#1 @afercia
22 months ago

/cc @johnbillion @voldemortensen

#2 @subrataemfluence
22 months ago

  • Keywords has-patch added

Since self hosted WordPress does not really provide any inbuilt functionality for retrieving username/email address, "Lost your password" link is not feasible as @afercia has mentioned already. Hence, we might take out that Forgot Password link completely when WordPress checks for wrong username or email address. The issue still persists in current stable version (4.9.1) as well.

I have uploaded a diff. Let me know if that makes any sense.

Thank you!

This ticket was mentioned in Slack in #accessibility by afercia. View the logs.


22 months ago

#4 @afercia
22 months ago

  • Milestone changed from Awaiting Review to 5.0

#5 in reply to: ↑ description ; follow-up: @SergeyBiryukov
22 months ago

Replying to afercia:

While this link makes perfectly sense when users enter a wrong password, it doesn't when they enter a wrong username. The error is a wrong username, why I should ever be offered a link to retrieve my password?

I think it still makes sense when they enter a wrong username. If a user only remembers the email address, password reset email can be used to remember the correct username (the email contains the site name and the username).

Same for "Invalid email address" error, if a user only remembers the username, they can use the password reset form and then check their inboxes to find where the email went.

Maybe the link text could be changed to something else (e.g. "Lost your username?", "Recover account", "Try password reset"), but I think the link should stay. There's already a "Lost your password?" link below the form, but it's not very noticeable, and getting an error message without any hint for a resolution is not very user-friendly :)

Replying to subrataemfluence:

Since self hosted WordPress does not really provide any inbuilt functionality for retrieving username/email address

It does allow you to see the username in the password reset email if you remember the email address.

Last edited 22 months ago by SergeyBiryukov (previous) (diff)

#6 @afercia
22 months ago

@SergeyBiryukov good points! I've just checked the text of the reset password email and it does contain the username:

Someone has requested a password reset for the following account:

Site Name: My Site

Username: myusername

If this was a mistake, just ignore this email and nothing will happen.

To reset your password, visit the following address:

<http://example.org/wp-login.php?action=rp&key={some key here}&login=myusername>

Then, I'd completely agree with you the link text and any other reference to "password reset" or "new password" should be changed, because this is not just a password reset: it sends you also your username :)

At this point, also the text displayed on ?action=lostpassword should be dynamic and differentiate the two cases:
Document title: Lost Password
Notice text:

Please enter your username or email address. You will receive a link to create a new password via email.
  • can't remember username? The document title should not mention the password and the text should be something like:
    Please enter your email address. You will receive an email with your username and a link to create a new password.
    
  • can't remember password? OK as is.

#7 @afercia
22 months ago

Three cases actually... :)

Same for "Invalid email address" error, if a user only remembers the username,

#8 in reply to: ↑ 5 @subrataemfluence
22 months ago

Replying to SergeyBiryukov:

You are right. If a user forgets both Username and Email address, it would be a complete mess!

I have uploaded a modified diff file which uses specific error messages for Username and Email address.

Replying to afercia:

While this link makes perfectly sense when users enter a wrong password, it doesn't when they enter a wrong username. The error is a wrong username, why I should ever be offered a link to retrieve my password?

I think it still makes sense when they enter a wrong username. If a user only remembers the email address, password reset email can be used to remember the correct username (the email contains the site name and the username).

Same for "Invalid email address" error, if a user only remembers the username, they can use the password reset form and then check their inboxes to find where the email went.

Maybe the link text could be changed to something else (e.g. "Lost your username?", "Recover account", "Try password reset"), but I think the link should stay. There's already a "Lost your password?" link below the form, but it's not very noticeable, and getting an error message without any hint for a resolution is not very user-friendly :)

Replying to subrataemfluence:

Since self hosted WordPress does not really provide any inbuilt functionality for retrieving username/email address

It does allow you to see the username in the password reset email if you remember the email address.

@zalak151291
22 months ago

This ticket was mentioned in Slack in #accessibility by rianrietveld. View the logs.


14 months ago

#10 @afercia
14 months ago

  • Milestone changed from 5.0 to 4.9.9

Discussed during today's accessibility bug-scrub an agreed to try this for 4.9.9 consideration.

#11 @SergeyBiryukov
14 months ago

  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#12 @pento
13 months ago

  • Milestone changed from 4.9.9 to 5.0.1

#13 @pento
11 months ago

  • Milestone changed from 5.0.1 to 5.0.2

#14 @pento
11 months ago

  • Milestone changed from 5.0.2 to 5.0.3

#15 @audrasjb
10 months ago

  • Milestone changed from 5.0.3 to 5.1

Hi,

Since 5.0.3 is going to be released in few days and as the ticket still needs review and commit, let's address this one in 5.1, coming next month.

#16 @pento
10 months ago

  • Milestone changed from 5.1 to 5.2

I'm not wild about the proposed changes. I'm fine with us changing this string, but it needs better wording.

This ticket was mentioned in Slack in #accessibility by afercia. View the logs.


8 months ago

#18 @joedolson
8 months ago

This text needs revising, and the target reset password form should also convey to the user what information they will receive in addition to their new password.

#19 @SergeyBiryukov
8 months ago

  • Milestone changed from 5.2 to 5.3

Missed the 5.2 Beta 1 deadline, moving to 5.3.

This ticket was mentioned in Slack in #accessibility by afercia. View the logs.


8 months ago

#21 @ramiy
6 months ago

Related: #35736

Replace 'Lost Password' phrase with 'Reset Password'

This ticket was mentioned in Slack in #accessibility by audrasjb. View the logs.


8 weeks ago

#23 follow-ups: @audrasjb
8 weeks ago

  • Keywords needs-copy-review added

Are we fine with "Recover" wording? Should we rather user "Reset"?

#24 in reply to: ↑ 23 @marybaum
8 weeks ago

  • Keywords has-copy-review added; needs-copy-review removed

Replying to audrasjb:

Are we fine with "Recover" wording? Should we rather user "Reset"?

My first choice is

Get help with login.

Second would be

Reset login information.

Covers all cases, is brief and doesn't make user feel stupid -- a big source of my users, anyway, losing their creds in the first place.

#25 in reply to: ↑ 23 @ramiy
8 weeks ago

Replying to audrasjb:

Are we fine with "Recover" wording? Should we rather user "Reset"?

In most cases we use "Reset Password". Core does not use "Recover Password", but it sound better then "Lost your password?".

In any case, the only place we use "Recover" wording is the "Recovery Mode".

#26 @afercia
8 weeks ago

Worth noting the original issue on this ticket is mainly about the invalid username / email message and secondly about the reset password link.

The point is: when users enter a wrong username the error message is:

ERROR: Invalid username. Lost your password?

When they enter a wrong email it's:

ERROR: Invalid email address. Lost your password?

In both cases, the error mentions the username or the email while the only option provided by the user interface is a "Lost your password?" link:

  • the link Lost your password? seems unrelated to errors about username / email
  • nothing informs users that, if they entered a wrong username, they can try with their email or vice-versa
  • nothing explains users that the reset email they will receive contains also the username
  • nothing informs users that usernames can't be changed anyways (emails can be changed)

Overall, the wording of the username/email error message and the wording of the Lost your password? link don't fully describe what the next steps for users are.

This issue was discussed a bit more in depth during yesterday's extra accessibility bug-scrub focused on the WordPress 5.3 release. The general feedback was that some better wording could greatly help. For example: changing the lost password link a more generic sentence. Here's a couple options:

  • Retrieve your login data
  • Get help with login

However, I'd tend to think this issue deserves some more thinking. Let's go through the possible scenarios:

case 1

  • enter a wrong username
  • I get the message ERROR: Invalid username. Lost your password?
  • nothing informs me I can use my email to log in
  • click on Lost your password? because it's the only option
  • I'm asked for my email (which I can actually use to log in)
  • I get an email which contains my username and a link to reset the password
  • click the link
  • enter new password etc.
  • result: I was able to retrieve my username, though the process didn't inform me properly and forced me to change my password

case 2

  • enter a wrong email
  • I get the message ERROR: Invalid email address. Lost your password?
  • nothing informs me I can use my username to log in
  • click on Lost your password? because it's the only option
  • I'm asked for... my email but I can't remember my email: dead end

case 3

  • enter a wrong password
  • OK this works :)

case 4

  • enter both a wrong username/email and a wrong password
  • note: the user interface displays only the Invalid username message first
  • a mix of the above cases

Basically, cases 1 and 2 could be improved.

Seems to me there's no point in displaying the reset password link when the username or email are wrong. While it is true that the reset email contains the username, there's really no "retrieve username" or "retrieve email" option. To get the reset email, users have to remember at least their email which can already be used to log in. This case would need to be better explained.

Pretending I'm not missing anything, I'd like to propose to remove the reset password link from the username and email error messages:

ERROR: Invalid username. You can try with your email.
ERROR: Invalid email address. You can try with your username.

The wrong password messages can stay unchanged:

ERROR: The password you entered for the username {your-username} is incorrect. Lost your password?
ERROR: The password you entered for the email address {your-email} is incorrect. Lost your password?

Any feedback very welcome.

Last edited 7 weeks ago by afercia (previous) (diff)

#27 @afercia
8 weeks ago

  • Keywords 2nd-opinion added

To clarify (before it gets asked) why WordPress doesn't hide error messages related to the username and why that's not considered "information disclosure", see https://core.trac.wordpress.org/ticket/3708#comment:3 and all the following tickets closed as "wontfix", for example #4290.

#28 @ryokuhi
8 weeks ago

I agree with @afercia on pretty everything.

A couple more points worth noting to me.

1) In order to login, apart from the password, users need to know either the username or the email address. As long as they remember their password, they can find both the username and the email address in their profile page. As such, users don't really need the email with the password reset link, not even to retrieve their username.

2) In my experience, the most common cause for a wrong username or email address is a typo. As such, the first advice a user should get is simply to try again. This is how I would rephrase error messages:

ERROR: Invalid username. Try again, you can also use your email address.
ERROR: Invalid email address. Try again, you can also use your username.

with no links to other pages. Such lines of text should be easily understandable to all and are quite short, so they don't break the UI.

I can rewrite the patch if needed.

Last edited 7 weeks ago by ryokuhi (previous) (diff)

#29 @afercia
8 weeks ago

Good point @ryokuhi! The "retry" part makes sense to me.

#30 @afercia
7 weeks ago

I can rewrite the patch if needed.

@ryokuhi do feel free to go ahead :)

@ryokuhi
6 weeks ago

Clarifies error messages in login page when the user enters invalid username or email address.

@ryokuhi
6 weeks ago

Login screen after 43037.3.diff patch

#31 @ryokuhi
6 weeks ago

I wrote the patch and added the screenshots of the login page when new error messages are displayed.

In my opinion, there are some inconsistences in capitalization that should be solved before committing. The whole form uses title case, while the error messages use sentence case. There are two ways to solve this issue:

  • capitalize Username and Email Address in the error message (quick fix);
  • switch to sentence case in the form (needs a bit more time).

I tend to think that title case is more difficult to read, so I'm more inclined towards changing the form instead. Checking for other tickets about capitalitazion, I found #47298 (already closed and included in 5.3 Beta 1) where, in a similar situation, it's stated that sentence case is more favorable in general. Maybe a discussion about capitalization style across the entire WordPress interface should be started in a new ticket.

As a side note about capitalitazion and the login form, I think that writing ERROR in all caps isn't particularly user friendly. Since Error is already included in a strong tag, capitalizing the first letter may be enough. As there are different ways to show error messages across the WordPress interface, reviewing and uniforming them might also be worth of a new ticket.

Last edited 6 weeks ago by ryokuhi (previous) (diff)

This ticket was mentioned in Slack in #accessibility by audrasjb. View the logs.


5 weeks ago

This ticket was mentioned in Slack in #core by david.baumwald. View the logs.


5 weeks ago

This ticket was mentioned in Slack in #core by afercia. View the logs.


5 weeks ago

#35 @markjaquith
5 weeks ago

Cleaning up the wording a bit:

Invalid email address. Try again, or enter a username instead.

Invalid username. Try again, or enter an email address instead.

#36 @chanthaboune
5 weeks ago

I would love for this to be a little more friendly, since the rest of that page looks so friendly! I've shared a few options below, so take your pick (or mix and match as needed).

"I don't recognize that username. Check for errors or use your email address!"
"I don't recognize that email address. Check for errors or use your username!"

"ERROR: Invalid username. Check again or try your email address!"
"ERROR: Invalid email address. Check again or try your username!"

"Unknown username. Try again or use your email address."
"Unknown email address. Try again or use your username."

#37 @markjaquith
5 weeks ago

I definitely prefer "unknown" over "invalid". It's more accurate, as well as being friendlier!

I don't like "I don't recognize" — where else does WordPress talk to you like a being?

These seem fine:

Unknown username. Check again or try your email address.

Unknown email address. Check again or try your username.

#38 @ryokuhi
5 weeks ago

Thanks to both @chanthaboune and @markjaquith for your feedback.
Taking what I think is the best from all the proposed texts, I'd suggest using the following messages:

ERROR: Unknown username. Try again or enter your email address instead.
ERROR: Unknown email address. Try again or enter your username instead.

We have to keep "ERROR: " at the beginning of the error message: otherwise, the fact that the notification is an error would be conveyed only by the red bar on the left and that would be a violation of https://www.w3.org/WAI/WCAG21/quickref/?versions=2.0#use-of-color.

Any feedback about this copy would be greatly appreciated, but since Beta 3 (and soft string freeze) is next Monday, it has to be very quick, so that there's time for writing, reviewing and commiting the patch.

As there was no feedback on how to deal with capitalization issues in the login form, I'd suggest to keep everything as it currently is and then open a new ticket to fix these in a future release.

This ticket was mentioned in Slack in #accessibility by audrasjb. View the logs.


5 weeks ago

#40 @audrasjb
5 weeks ago

  • Keywords needs-refresh added

That's a +1 on my side, though we could avoid to capitalize "Error".
Not sure the word "Error" is even needed in this message. I think we could keep the two previous proposals:

Unknown username. Check again or try your email address.
Unknown email address. Check again or try your username.

#41 @joedolson
5 weeks ago

I’m fine with the proposal as it is. However, while I think that adding the word ‘error’ can add clarity, it's not actually required.

I’m not convinced that the use of the color red in this case is meaningful - that is, a user does not need to know that the error is highlighted in red to realize this an error. That’s conveyed by the text, and by the fact you weren’t logged in.

#42 @afercia
4 weeks ago

I'd agree users don't necessarily need to know whether it's an error, warning, or info :) They need proper feedback and guidance for remediation.

Regarding the other occurrences in core of the all caps ERROR I'd propose to open a new ticket: all caps should be avoided for better readability and because screen readers may pronounce all caps as abbreviations. Noting there are inconsistencies in core: sometimes ERROR is all caps, sometimes it's sentence case, sometimes it's bold, sometimes the entire error message is bold. The most recently added ones (PHP compatibility and SIte Health) seem to use sentence case.
A few examples:

<strong>ERROR:</strong> There was an error connecting to the server ...
<strong>Error:</strong> Current WordPress and PHP versions do not meet ...
<strong>Error:</strong> This plugin <strong>requires a newer version of PHP</strong>.
<strong>' . __( 'ERROR: The network could not be created.' ) . '</strong>

@afercia
4 weeks ago

#43 @afercia
4 weeks ago

  • Keywords commit added; 2nd-opinion needs-refresh removed

43037.2.diff updates the strings to the new ones:

Unknown username. Check again or try your email address.
Unknown email address. Check again or try your username.

Keeps all the other ones unchanged: some of them still use the all caps 'ERROR'. Ideally, 'ERROR' should be removed from anywhere but I guess not at this point of the release cycle (Beta 3).

#44 @afercia
4 weeks ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 46417:

Accessibility: Login and Registration: Improve the invalid username and invalid email messages.

  • explicitly informs users they can use their email to log in as an alternative to their username and vice-versa
  • shows the Lost your password? link only when an wrong password has been entered
  • uses a more appropriate copy by changing "invalid" to "unknown"
  • removes the all caps ERROR

Props subrataemfluence, zalak151291, ryokuhi, SergeyBiryukov, audrasjb, joedolson, marybaum, ramiy, markjaquith, chanthaboune, afercia.
Fixes #43037.

#45 @afercia
4 weeks ago

  • Keywords commit removed
Note: See TracTickets for help on using tickets.