Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Invalid Password inquiry

edited December 2011 in Vanilla 2.0 - 2.8

Hi there. I'm a Mod on a forum and am always getting inboxes on my FB account of users unable to get into our forum. The most common complaint is 'Password Is Invalid' - even when using their FB account to log in. PLEASE help, I'm at a loss as to what to tell people and a search of these forums haven't yielded any results. Thank you in advance for your time.


  • Options
    ToddTodd Chief Product Officer Vanilla Staff

    The only place in vanilla where 'Password Is Invalid' occurs happens when users are restting their passwords and don't enter one.

    When people sign in with Facebook and have to enter a password it means that there is already an account associated with their Facebook email and they have to enter its password to link things up. They may be getting confused and are entering their Facebook password rather than the password they entered when creating the account on Vanilla.

    You can ask them to sign in just to Vanilla to make sure they know their passwords and then they can sign out and re-sign in with Facebook to link their accounts.

  • Options
    422422 Developer MVP

    They may also be signed into facebook pages, which causes an issue, but this is a generic fb connect problem

    There was an error rendering this rich post.

  • Options

    I just switched from PHPBB tot Vanilla 2.1.

    When I log in with incorrect credentials, Vanilla tells me "invalid password" or "user not found". Why ? Wouldn't it be better to return "Username or password invalid" or "Invalid credentials".

  • Options

    This is not really a security concern as the existence of a username in a public forum is no secret.

    I think messages like "Username or password invalid" are less user friendly and annoying.

  • Options
    hgtonighthgtonight ∞ · New Moderator

    In a private forum, returning whether the username/password is invalid is giving up some information.

    I, personally, don't think it matters. But I don't know anything about breaking into user accounts.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • Options

    To me it's common sense to not give any up information, but I'm in QA :).

    Considering many users use the same password everywhere (which they shouldn't) this could possibly be a securtiy issue. (See the recent dropbox "hack" where the user/password combinations where stolen from other services where these users used the same password. I have seen this before.)

  • Options
    BleistivtBleistivt Moderator
    edited October 2014

    Even if you do that, as long as registrations are not closed, a hacker can get that information on the register page.

    Interesting read:

Sign In or Register to comment.