Privacy issue on failed logins

Started by Ricky., January 03, 2012, 02:34:27 AM

Previous topic - Next topic

Ricky.

Hello,

I have one small concern regarding privacy issue. It is about logs, once a user failed to login, its password (wrong password ofcourse) get logged visible to admin. I found it privacy issue because many times users uses common password, sometimes they are actually using correct password but at wrong location .

I request that we should not include "password used " in logs.

:)

Arantor

Wait, what? The only time it has ever shown me that is if I specifically modify it to do so (e.g. this time last year when sites were routinely under a storm of bots trying to guess user passwords)

It doesn't do this as standard, and the fact that someone's suggesting it be disabled as a standard feature is slightly disturbing.

Joker™

Well all I got with incorrect password is this

Quotehttp://localhost/smf2/index.php?action=login2
Password incorrect - a

I've made a check in DB table too.

Quote from: arrowtotheknee on January 03, 2012, 05:07:13 AM
Wait, what? The only time it has ever shown me that is if I specifically modify it to do so (e.g. this time last year when sites were routinely under a storm of bots trying to guess user passwords)
Can you point out the mod please.
Github Profile
Android apps
Medium

How to enable Post Moderation

"For the wise man looks into space and he knows there is no limited dimensions." - Laozi

All support seeking PM's get microwaved

Arantor

QuoteCan you point out the mod please.

Please read what I said again. The only time it has ever shown me is IF I SPECIFICALLY MODIFY IT i.e. doing it myself. Go back to the discussions of the attacks at the start of last year, I admitted that I was logging incorrect password attempts on my site specifically to observe what the bots were doing.

I also call BS on this one, actually, because the *vast* majority of passwords that are sent to SMF are in fact hashed by the browser BEFORE they're sent. Most legitimate users only ever send in their password once, to register. (Or twice, unhashed, if you've done a conversion from a system that doesn't use the same hashing method and password hashing has to be done twice.)

Joker™

Quote from: arrowtotheknee on January 03, 2012, 05:31:04 AM
Please read what I said again. The only time it has ever shown me is IF I SPECIFICALLY MODIFY IT i.e. doing it myself. Go back to the discussions of the attacks at the start of last year, I admitted that I was logging incorrect password attempts on my site specifically to observe what the bots were doing.
Which shows my coffee ain't strong enough :P. Just woke up ;).


Quote from: arrowtotheknee on January 03, 2012, 05:31:04 AM
I also call BS on this one, actually, because the *vast* majority of passwords that are sent to SMF are in fact hashed by the browser BEFORE they're sent. Most legitimate users only ever send in their password once, to register. (Or twice, unhashed, if you've done a conversion from a system that doesn't use the same hashing method and password hashing has to be done twice.)
I think the OP hsa stated that the password is saved somewhere in SMF if a user makes an incorrect login, and answer for that is pretty simple i.e "No".
Github Profile
Android apps
Medium

How to enable Post Moderation

"For the wise man looks into space and he knows there is no limited dimensions." - Laozi

All support seeking PM's get microwaved

Arantor

Quote from: Joker™ on January 03, 2012, 05:44:42 AM
I think the OP hsa stated that the password is saved somewhere in SMF if a user makes an incorrect login, and answer for that is pretty simple i.e "No".

And I'm saying that not only does it not do that, you'd have to disable certain JavaScript to *even get the password anyway*. The password just isn't sent in plain text normally meaning that it doesn't get anything it can save!

Ricky.

Arrr...

I guess I overlooked..

Here is the error log :

Quote
Apply Filter: Only show the error messages of this URL
http://www.forumnamehere.com/index.php?action=login2
Apply Filter: Only show the errors with the same message
Password incorrect - annez
I guess here annez is username and I had impression its "password" being shown.. My bad.. !

Kindred

yeah...   there was a mod made by Arantor in 2011 in order to deal with the rash of DoS-type brute-force login attempts which recorded the attempted password so the admin could track attempts for things like mytest123, mytest124, mytest125, etc.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Advertisement: