I will put this in the backlog for prioritization. But this may be will cause a security concern.

I installed matomo 10 minutes ago and I am about ready to give up due to this weird behavior. Please make it optional as soon as possible. It's super annoying.

@mattab this is a fairly regular request after we made changes for security purposes. Perhaps we could provide workarounds for certain use cases.

See also #19772

How do other Saas tools like Github handle this? Do they remember for like 5minutes that the password was given, or something like this? There must be a common way to solve this problem and it would be great to learn what it is so we don't have to reinvent the wheel (and ideally we don't introduce a new setting...)

There are a couple of Wordpress plugin users that can't use these password protected features at all, they keep getting incorrect password notifications. They tried updating their passwords, using simpler passwords, using more complex passwords and updating their passwords directly in the db. Nothing worked for them. I was unable to reproduce this locally.

Proposed solution

• introduce a new INI setting to let people disable the password confirmation.
• create a new FAQ "How do I disable the password confirmation prompt?" that explains how it's not recommended because it lowers security, but when it's required for some reason, it's possible.
• both core & WP users could leverage this setting if needed

For now i'd say we don't need to link to the FAQ within the app itself, as I guess it's very rarely needed so not worth maybe.

It is kind of already possible to disable the password check by adding this to config/config.php

<?php

return [
    'observers.global' => \DI\add([
        ['Login.userRequiresPasswordConfirmation', \DI\value(function (&$requiresPasswordConfirmation, $login) {
            $requiresPasswordConfirmation = false;
        })],
    ]),
];

That way the password confirmation boxes are still shown, but you can simply click ok, without entring a password.
Might be a suitable solution for the users currently having a problem.

Based on @sgiehl assessment, i'm moving this out of the milestone.
Instead @lance-matomo @mattmary could you collaborate with the WP users who have this issue to reproduce the issue so we can understand the root cause and fix it?

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/how-to-disable-confirmpassword-feature/49834/2

Because a workaround is available and documented here: #19904 (comment)

And because disabling this feature in theory shouldn't be required (and SAML / LDAP plugins handle it correctly) then we can close this issue I think. please comment or reopen if i missed something.