Timeline for Passwords being sent in clear text due to users' mistake in typing it in the username field
Current License: CC BY-SA 3.0
56 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jul 25, 2022 at 15:43 | answer | added | gerrit | timeline score: 0 | |
| May 19, 2018 at 22:30 | review | Suggested edits | |||
| May 20, 2018 at 8:18 | |||||
| Mar 17, 2017 at 13:14 | history | edited | CommunityBot | replaced http://security.stackexchange.com/ with https://security.stackexchange.com/ | |
| Dec 22, 2016 at 22:04 | comment | added | рüффп | I recently had something similar when a user put the Authorization Basic <base64> in the URL itself (query param) instead than in the HTTP header... sorry for him but his request went to the "NCSA-logs" file and we cannot simply prevent logging that as we don't parse the log message before logging it. | |
| S Jun 2, 2016 at 20:59 | history | suggested | Mast | CC BY-SA 3.0 | Improved interpunction, removed click-bait style in the title. |
| Jun 2, 2016 at 20:07 | review | Suggested edits | |||
| S Jun 2, 2016 at 20:59 | |||||
| S Jul 31, 2014 at 13:54 | history | bounty ended | CommunityBot | ||
| S Jul 31, 2014 at 13:54 | history | notice removed | user45139 | ||
| Jul 31, 2014 at 9:21 | answer | added | rjt | timeline score: 0 | |
| S Jul 30, 2014 at 13:41 | history | bounty started | CommunityBot | ||
| S Jul 30, 2014 at 13:41 | history | notice added | user45139 | Authoritative reference needed | |
| Sep 4, 2013 at 12:30 | history | edited | Lex | CC BY-SA 3.0 | deleted 1 characters in body |
| May 15, 2013 at 9:35 | history | edited | Lex | CC BY-SA 3.0 | grammar; format |
| Mar 7, 2013 at 11:53 | history | edited | Lex | CC BY-SA 3.0 | correcting 'Does not exit' to 'Does not exiSt'. |
| Mar 7, 2013 at 11:49 | vote | accept | Lex | ||
| Mar 7, 2013 at 11:48 | comment | added | Lex | @ray023 Can't tell you that, I am afraid. However this also happens to people doing their mistakes on their windows logon too. | |
| Mar 7, 2013 at 11:47 | history | edited | Lex | CC BY-SA 3.0 | correcting 'Does not exit' to 'Does not exiSt'. |
| Mar 7, 2013 at 2:22 | comment | added | jarmod | [Apologies if someone else already made this comment] This kind of stuff happens a lot more now that so many people use things like KeePass to auto-type their credentials. It's very easy to have the focus in the wrong field and then the auto-typed name, tab, password, enter sequence fills in the wrong fields. | |
| Mar 6, 2013 at 20:30 | comment | added | AJ Henderson | @Sufyan - yeah, that would also be effective, but it would be a usability hit as it requires extra work on the user's part which is generally going to make it poorly received. Not saying it couldn't be the right choice in some situations, but it wouldn't be a popular one. | |
| Mar 6, 2013 at 19:29 | comment | added | ray023 | @Lex "...for some reason..." Just speculating on the reason: Is there javascript on the page that puts focus on the username box after the page loads? My banking website does this and I found myself typing my pw in the username field because of the asynch load. (e.g. I typed in my username and while typing--or right before typing--my pw, page would fully load, set focus to username and my pw would go in username field). | |
| Mar 6, 2013 at 18:10 | history | protected | AviD♦ | ||
| Mar 6, 2013 at 17:01 | comment | added | Sam Woods | I have noticed a really annoying bug where in a web page I will switch to the password field and start typing before the page finishes loading, then when the page does finish (partway through me typing my password) it will rip the focus away from the password field and back to the default (usually the username field). I wish everyone would make sure their product/web site does not do this. | |
| Mar 6, 2013 at 15:49 | comment | added | MikeS | I suddenly feel the need to change various passwords... Also, when I have done this in the past, often times what happens is I'm typing really fast and accidentally miss the "tab" key to move to the next field. In other words... An account failed to login: MikeSP@$$W0RD | |
| Mar 6, 2013 at 15:18 | answer | added | Izac Mac | timeline score: 2 | |
| Mar 6, 2013 at 13:33 | comment | added | mplungjan | I have two machines and one keyboard. Using MouseWithoutborders I sometimes type my password into whereever I THINK the cursor is focussed. Not always the box that needs the login | |
| Mar 6, 2013 at 12:34 | comment | added | Sufyan | If possible, can you add a new field, like re enter password and add a clientside validation? | |
| Mar 6, 2013 at 11:55 | answer | added | Tek Tengu | timeline score: 0 | |
| Mar 6, 2013 at 11:24 | answer | added | nalply | timeline score: 4 | |
| Mar 6, 2013 at 9:54 | answer | added | louis_coetzee | timeline score: 0 | |
| Mar 6, 2013 at 4:06 | answer | added | Kevin Reid | timeline score: 5 | |
| Mar 6, 2013 at 3:53 | answer | added | Daniel Pryden | timeline score: 3 | |
| Mar 6, 2013 at 2:52 | answer | added | sharp12345 | timeline score: 0 | |
| Mar 6, 2013 at 2:12 | comment | added | Ben Jackson | Typing my password into something other than a password entry box is probably the leading cause of password changes for me. I should probably make that mistake more often! | |
| Mar 6, 2013 at 1:13 | answer | added | Nathan Goings | timeline score: 21 | |
| Mar 6, 2013 at 0:48 | answer | added | A. Wilson | timeline score: 0 | |
| Mar 5, 2013 at 22:29 | answer | added | dr jimbob | timeline score: 3 | |
| Mar 5, 2013 at 20:47 | comment | added | Allan | This used to happen to me all the time, for the following reason: typically, when I unlock my computer, it remembers that I was the last user and only the password needs to be entered. I often [ctrl]-[alt]-[del] and enter my password before power is restored to my monitor. However, if my last login was via remote desktop, the username is cleared. Following my normal routine in this scenario results in the password being entered as the username. | |
| Mar 5, 2013 at 20:01 | answer | added | Alex Gordon | timeline score: 0 | |
| Mar 5, 2013 at 19:49 | answer | added | Eric G | timeline score: 14 | |
| Mar 5, 2013 at 19:31 | history | tweeted | twitter.com/#!/StackSecurity/status/309023313135546373 | ||
| Mar 5, 2013 at 19:23 | answer | added | Abhijit | timeline score: 4 | |
| Mar 5, 2013 at 18:58 | comment | added | ewanm89 | Those of us who can type without looking at the keyboard can make that mistake too. Usually we also don't actually need to look at the screen and if one is slightly distracted such a mistake is easy to make. This is the advantage of the windows XP Home edition and later interface where it is a menu of users to pick from. Of course, not useful with more than a handful of users. | |
| Mar 5, 2013 at 18:42 | comment | added | Lex | @CodesInChaos that's an interesting idea and I am sure it is possible to implement a regex filter for this. | |
| Mar 5, 2013 at 18:42 | comment | added | Lex | @asadz I agree with you 100% | |
| Mar 5, 2013 at 18:41 | comment | added | Saladin | @Lex but that would be another risk all-together being saved in clear text on machine, I was referring the risk of being sniffed off the wire. The attacker has to be very lucky in that case. Depending upon the response of the system (if it ask for one time token / password) or pre-auth in some sort of way then the chance of actual compromise is far less. | |
| Mar 5, 2013 at 18:38 | comment | added | Lex | @asadz the threat seems pretty big to me, since the password might be transmitted in clear text from the username filed as if it were the username. The likelihood might be minimal, however the likelihood of internal fraud from someone abusing the log viewing privileges of the clear-text stored password that scares me the most. | |
| Mar 5, 2013 at 18:29 | comment | added | CodesInChaos | Only log if the username exists in the db? | |
| Mar 5, 2013 at 18:10 | comment | added | Saladin | @Lex I'm confused what the risk of someone sniffing the password in this fashion from the wire? How much of threat it implies? If i have something as sslstrip it beats all the security on wire. | |
| Mar 5, 2013 at 17:42 | answer | added | makerofthings7 | timeline score: 22 | |
| Mar 5, 2013 at 17:39 | comment | added | Saladin | Rainbow table as an siem analyst with app logs and others counting too more then 5000+ eps sounds very inconvinent. There are siem solution like Q1 that would alert on a regex defined to check for username types. | |
| Mar 5, 2013 at 17:33 | answer | added | AJ Henderson | timeline score: 365 | |
| Mar 5, 2013 at 17:31 | comment | added | AJ Henderson | @SparKotॐ - the problem is that if you hash the username, without a common salt, it is exceedingly difficult to identify the user. With a common salt for the username, it becomes possible to do a rainbow table attack against the logs to find any misentered passwords. | |
| Mar 5, 2013 at 17:29 | comment | added | जलजनक | Hash both username & password and send across. Of course account creation has to be on HTTPS. Further logins need not be. | |
| Mar 5, 2013 at 16:49 | history | edited | Lex | CC BY-SA 3.0 | added 50 characters in body |
| Mar 5, 2013 at 16:13 | answer | added | fixulate | timeline score: 38 | |
| Mar 5, 2013 at 16:09 | history | asked | Lex | CC BY-SA 3.0 |