Advertisement:

Author Topic: Privacy issue on failed logins  (Read 2738 times)

Offline Ricky.

  • Customizer
  • SMF Hero
  • *
  • Posts: 4,025
    • Indian Linux Forums
Privacy issue on failed logins
« on: January 03, 2012, 02:34:27 AM »
Hello,

I have one small concern regarding privacy issue. It is about logs, once a user failed to login, its password (wrong password ofcourse) get logged visible to admin. I found it privacy issue because many times users uses common password, sometimes they are actually using correct password but at wrong location .

I request that we should not include "password used " in logs.

:)

Offline Arantor

  • SMF Friend
  • SMF Legend
  • *
  • Posts: 58,417
Re: Privacy issue on failed logins
« Reply #1 on: January 03, 2012, 05:07:13 AM »
Wait, what? The only time it has ever shown me that is if I specifically modify it to do so (e.g. this time last year when sites were routinely under a storm of bots trying to guess user passwords)

It doesn't do this as standard, and the fact that someone's suggesting it be disabled as a standard feature is slightly disturbing.

Online Joker™

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 5,760
  • Gender: Male
Re: Privacy issue on failed logins
« Reply #2 on: January 03, 2012, 05:13:34 AM »
Well all I got with incorrect password is this

Quote
http://localhost/smf2/index.php?action=login2
Password incorrect - a

I've made a check in DB table too.

Wait, what? The only time it has ever shown me that is if I specifically modify it to do so (e.g. this time last year when sites were routinely under a storm of bots trying to guess user passwords)
Can you point out the mod please.
Github Profile
My Mods
How to enable Post Moderation
Paid Support


"For the wise man looks into space and he knows there is no limited dimensions." - Laozi

All support seeking PM's get microwaved

Offline Arantor

  • SMF Friend
  • SMF Legend
  • *
  • Posts: 58,417
Re: Privacy issue on failed logins
« Reply #3 on: January 03, 2012, 05:31:04 AM »
Quote
Can you point out the mod please.

Please read what I said again. The only time it has ever shown me is IF I SPECIFICALLY MODIFY IT i.e. doing it myself. Go back to the discussions of the attacks at the start of last year, I admitted that I was logging incorrect password attempts on my site specifically to observe what the bots were doing.

I also call BS on this one, actually, because the *vast* majority of passwords that are sent to SMF are in fact hashed by the browser BEFORE they're sent. Most legitimate users only ever send in their password once, to register. (Or twice, unhashed, if you've done a conversion from a system that doesn't use the same hashing method and password hashing has to be done twice.)

Online Joker™

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 5,760
  • Gender: Male
Re: Privacy issue on failed logins
« Reply #4 on: January 03, 2012, 05:44:42 AM »
Please read what I said again. The only time it has ever shown me is IF I SPECIFICALLY MODIFY IT i.e. doing it myself. Go back to the discussions of the attacks at the start of last year, I admitted that I was logging incorrect password attempts on my site specifically to observe what the bots were doing.
Which shows my coffee ain't strong enough :P. Just woke up ;).


I also call BS on this one, actually, because the *vast* majority of passwords that are sent to SMF are in fact hashed by the browser BEFORE they're sent. Most legitimate users only ever send in their password once, to register. (Or twice, unhashed, if you've done a conversion from a system that doesn't use the same hashing method and password hashing has to be done twice.)
I think the OP hsa stated that the password is saved somewhere in SMF if a user makes an incorrect login, and answer for that is pretty simple i.e "No".
Github Profile
My Mods
How to enable Post Moderation
Paid Support


"For the wise man looks into space and he knows there is no limited dimensions." - Laozi

All support seeking PM's get microwaved

Offline Arantor

  • SMF Friend
  • SMF Legend
  • *
  • Posts: 58,417
Re: Privacy issue on failed logins
« Reply #5 on: January 03, 2012, 05:48:33 AM »
I think the OP hsa stated that the password is saved somewhere in SMF if a user makes an incorrect login, and answer for that is pretty simple i.e "No".

And I'm saying that not only does it not do that, you'd have to disable certain JavaScript to *even get the password anyway*. The password just isn't sent in plain text normally meaning that it doesn't get anything it can save!

Offline Ricky.

  • Customizer
  • SMF Hero
  • *
  • Posts: 4,025
    • Indian Linux Forums
Re: Privacy issue on failed logins
« Reply #6 on: January 03, 2012, 06:35:24 AM »
Arrr...

I guess I overlooked..

Here is the error log :

Quote
Apply Filter: Only show the error messages of this URL
http://www.forumnamehere.com/index.php?action=login2
Apply Filter: Only show the errors with the same message
Password incorrect - annez
I guess here annez is username and I had impression its "password" being shown.. My bad.. !

Offline Kindred

  • Project Manager
  • SMF Master
  • *
  • Posts: 37,597
  • Gender: Male
  • Red Sox WIN!
    • wagner999 on Facebook
    • www.linkedin.com/in/wdwagner/ on LinkedIn
    • @Kindred_999 on Twitter
Re: Privacy issue on failed logins
« Reply #7 on: January 03, 2012, 10:08:00 AM »
yeah...   there was a mod made by Arantor in 2011 in order to deal with the rash of DoS-type brute-force login attempts which recorded the attempted password so the admin could track attempts for things like mytest123, mytest124, mytest125, etc.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support forums.  Thank you.