33

Occasionally I will fail to hit Tab properly when entering a username/password combination. This results in me submitting username "myUsername$ecretPa$$word" along with a blank password. I always try to change my password shortly after doing this, fearing that it's entirely possible that someone maintaining the site is logging failed login attempts. It seems reasonable that someone (even a security-conscious admin) would consider logging attempted usernames both useful and safe. But if this happens my password would be stored in some unencrypted log somewhere, right along with my username.

Is this a reasonable concern? Am I being too paranoid?

loneboat
  • 1,434
  • 1
  • 12
  • 16

4 Answers4

32

The short answer is that it is very, very likely that your concatenated username and password exist on an unencrypted log somewhere that a larger group of people would conceivably have access to than the restricted logs.

You are not paranoid to change your password and should change it when this happens.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 3
    And if you reuse the password on multiple sites (which, of course, you shouldn't) you should change it everywhere. – Neil Smithline Sep 26 '15 at 04:04
  • 3
    And if you're changing it everywhere, you should change it to different passwords while you're at it. – user Nov 14 '15 at 20:33
  • 3
    This kind of human error is another reason to use a password manager. – joeytwiddle Nov 19 '15 at 15:30
  • 1
    I write web application and provide support. During support I have seen those fields's (username and password) value in concatenation at several places, so I would recommend changing the password without any delay. – Deep May 29 '18 at 13:33
17

But if this happens my password would be stored in some unencrypted log somewhere, right along with my username.

Is this a reasonable concern?

Yes.

Am I being too paranoid?

It depends.

If your worry is about the password being stored, then absolutely you're not. Your password will get stored in the clear to a near certainty. Being aware of reality and current practices is not paranoia.

To worry about the damage that the leaked password can cause - hence the prompt password change - is another matter. There, you might be a bit paranoid... but then again, no, depending on your overall password policy and the kind of sites you usually visit and leak your password on.

There are two mitigating factors:

  1. The log file will almost certainly be viewed by nobody else but administrators (if ever, if at all). They probably already have the means of both impersonating you (i.e. logging in as you, even without knowing your password) and stealing your password, even if the website ought to store it in encrypted form. Also, unless it's some wannabe-run site, administrators are actually on a fairly short leash and cannot e.g. just browse the logs for fun. There are usually first-level filters that submit a portion of the log and the reason for the alert; this mainly to reduce the time spent in checking the logs. Your single failed login shouldn't even trigger a low level alert.

  2. I'm pretty sure, given your security consciusness, that your supersecret password is not reused on multiple sites. Therefore, even if it leaked, it would be no great mischief.

The main danger from passwords leaked on the same site they're used on is that they might supply insight, or straight access, to some other site due to password reuse. An administrator that was kept honest only by the awareness that an access on his site would be immediately tracked to him, might feel friskier towards a third party site which he doesn't administer and where he's not known.

Therefore, if I were such an admin, knowing that your password on my site is loneboat3 would probably make me try loneboat as well as loneboat0 through loneboat9 on your banking site.

And in your case I suspect this danger is negligible.

That said, I think that changing a password as soon as you feel it's been compromised is a very good habit to have no matter what.

LSerni
  • 22,521
  • 4
  • 51
  • 60
-2

Like the previous two answer said, you are not in danger from the site itself as the site already has your password from the password field, after all it has to verify who you are.

To mention about password in the log in plain text, there are countless lines in that potential log, and a potential attacker of the server has to search thru that log to find the potential password and to also know that it is a password, then somehow the attacker should match the password to a username and if he succeeds in all that the attacker would have ONE login info. If I would be that attacker I would spend my time and effort on the db itself since I didn't attack the web server to steal some log files.

You could be in danger of revealing your password if somebody is monitoring your screen, but in this case the problem is much bigger than this one password as the entire PC is compromised anyway by the spyware monitoring the screen.

Also, there are companies where the computers are monitored and if a worker at one of those PC's does that, the system admin might see the password. But as you can see, so many "if"s here.

Rudy
  • 487
  • 4
  • 8
  • 4
    Usernames get logged in clear-text. This can lead to password exposure. – Neil Smithline Sep 26 '15 at 03:59
  • @NeilSmithline I am no security expert, my answer comes from the fact that I create web apps. I've added info about logs, but I may be wrong in my thinking. – Rudy Sep 26 '15 at 06:35
  • I agree that an attacker wouldn't break into a system to scrape logs passwords, but an attacker, or even an admin, might browse the log and stumble on the password. They might recognize its a password, if the username is an email address so the entry looks like `me@example.comjij8w#8j*@jiJ`. Not clearly a password, but suggestive. Even on something like `myUsername$ecretPa$$word`, if a few lines down in the log there is a successful login for `myUsername`, it gives a hint that there's a password. Considering how low-effort changing your password is, better safe than sorry seems appropriate. – Neil Smithline Sep 26 '15 at 15:23
  • @NeilSmithline You are right in what you say, but still, an admin already can impersonate me if he wants, an attacker will already have my login data from db it is here to take. I am not saying to not change the password, I just say that I wouldn't put too much stress in this case, that's it. If this would be an important site like main email or bank or anything important, the site should not let me send username without password and hopefully would also have 2 step authentication. – Rudy Sep 26 '15 at 19:10
-3

No. If it is a sensitive site (financial, security clearance, etc.) change your password, but there is basically no chance that your password was picked up by anyone malicious. Most forms dont send data until they are submitted, and if it was submitted most likely there is a log kept on a server someplace that would see it as an invalid login attempt for an account that doesnt exist. For it to be a security risk, the logs would have to exist (not a guarentee) a hacker would need to get access to the server those logs are on before maintenance wipes them, and then actually look through the large number of failed login attempts and realize that yours was your password, and then he would have to know what your username is as well. This is extremely unlikely particularly if you are a low value target. Paris Hilton will always have more to worry about than John Smith.

  • 1
    The OP isn't concerned about a hacker, but about the admins. – schroeder Sep 25 '15 at 23:29
  • 1
    @schroeder - are you sure that's true? He says he's concerned that an admin might log the username, but I didn't see anything that suggests he's concerned the admin would exploit it. – Abe Miessler Sep 26 '15 at 04:08