Topic: Privacy issue on failed logins

[Ricky.]

Hello,

I have one small concern regarding privacy issue. It is about logs, once a user failed to login, its password (wrong password ofcourse) get logged visible to admin. I found it privacy issue because many times users uses common password, sometimes they are actually using correct password but at wrong location .

I request that we should not include "password used " in logs.

[Arantor]

Wait, what? The only time it has ever shown me that is if I specifically modify it to do so (e.g. this time last year when sites were routinely under a storm of bots trying to guess user passwords)

It doesn't do this as standard, and the fact that someone's suggesting it be disabled as a standard feature is slightly disturbing.

[Joker™]

Well all I got with incorrect password is this

http://localhost/smf2/index.php?action=login2
Password incorrect - a

I've made a check in DB table too.

Wait, what? The only time it has ever shown me that is if I specifically modify it to do so (e.g. this time last year when sites were routinely under a storm of bots trying to guess user passwords)

Can you point out the mod please.

[Arantor]

Can you point out the mod please.

Please read what I said again. The only time it has ever shown me is IF I SPECIFICALLY MODIFY IT i.e. doing it myself. Go back to the discussions of the attacks at the start of last year, I admitted that I was logging incorrect password attempts on my site specifically to observe what the bots were doing.

I also call BS on this one, actually, because the *vast* majority of passwords that are sent to SMF are in fact hashed by the browser BEFORE they're sent. Most legitimate users only ever send in their password once, to register. (Or twice, unhashed, if you've done a conversion from a system that doesn't use the same hashing method and password hashing has to be done twice.)

[Joker™]

Please read what I said again. The only time it has ever shown me is IF I SPECIFICALLY MODIFY IT i.e. doing it myself. Go back to the discussions of the attacks at the start of last year, I admitted that I was logging incorrect password attempts on my site specifically to observe what the bots were doing.

Which shows my coffee ain't strong enough . Just woke up .

I also call BS on this one, actually, because the *vast* majority of passwords that are sent to SMF are in fact hashed by the browser BEFORE they're sent. Most legitimate users only ever send in their password once, to register. (Or twice, unhashed, if you've done a conversion from a system that doesn't use the same hashing method and password hashing has to be done twice.)

I think the OP hsa stated that the password is saved somewhere in SMF if a user makes an incorrect login, and answer for that is pretty simple i.e "No".

[Arantor]

I think the OP hsa stated that the password is saved somewhere in SMF if a user makes an incorrect login, and answer for that is pretty simple i.e "No".

And I'm saying that not only does it not do that, you'd have to disable certain JavaScript to *even get the password anyway*. The password just isn't sent in plain text normally meaning that it doesn't get anything it can save!

[Ricky.]

Arrr...

I guess I overlooked..

Here is the error log :

Apply Filter: Only show the error messages of this URL
http://www.forumnamehere.com/index.php?action=login2
Apply Filter: Only show the errors with the same message
Password incorrect - annez

I guess here annez is username and I had impression its "password" being shown.. My bad.. !

[Kindred]

yeah...   there was a mod made by Arantor in 2011 in order to deal with the rash of DoS-type brute-force login attempts which recorded the attempted password so the admin could track attempts for things like mytest123, mytest124, mytest125, etc.