What are the security implications of having submitted password in username field?

19

1

Let's say I typed my password into the username textbox of a frequently-visited website (https of course) and hit enter before I noticed what I was doing.

Is my password now sitting in plaintext in a log file somewhere? How could my mistake be exploited by a crafty miscreant? Help me understand the factual security implications regardless of the likelihood of it actually happening.

agentnega

Posted 2014-02-12T22:14:06.747

Reputation: 613

4I don't understand why this question is flagged as "opinion-based". It clearly asks "What are the security implications" which can be (and is, given at least the accepted answer) backed-up by facts. – Calimo – 2014-02-14T09:18:44.520

This is on-topic on http://security.stackexchange.com

– kinokijuf – 2014-02-14T09:35:31.857

@kinokijuf: Certainly I considered that first, however Information Security Stack Exchange is a question and answer site for Information security professionals. I'm not one, and I don't think we need one to answer this question. I made a mistake that any user could make, and I think the answers are interesting to users, not security professionals. However I could certainly be wrong. – agentnega – 2014-02-14T09:57:23.710

You're right, it should have been closed as "too broad" – random – 2014-02-14T17:07:30.837

Answers

18

It depends on configuration of authentication system of the site. If it was setup to log any attempts - than yes, it is now in the log (text file or database) in plain text. It could look like that:

12-Feb-2014 12:00:00 AM: Unsuccessful login attempt user (YOUR_PASSWORD_HERE) from (YOUR_IP_HERE);

or similar.

It is still true that password will not be accessible for regular users. Only for those who have access to log files.

What consequences it implies?

  • If server would be compromised - than hacker theoretically will have your plain text password.
  • Site's admin could routinely go thru the log files and accidentally find your password. He can than find what IP address this record came from and thus he can theoretically find what is your username and e-mail (because he has access to the database).

So, if you have same email/username/password on other resources - than change it immediately. Because there are chances that your password will be found. Logs can remain on servers for years.

VL-80

Posted 2014-02-12T22:14:06.747

Reputation: 3 867

8

There may be a local record of your attempt as well. Many (most?) browsers have an Autofill feature that's enabled by default and saves certain form entries - username, email address, phone#, etc. - for your convenience. If you open the login page again, click on the username field and press the down arrow key you may see your password listed along with username(s). You can delete it from the list, however, to be absolutely safe it would be best to change your password as suggested above.

– gm2 – 2014-02-13T18:00:46.337

5

Just as you said, webaplications tend to keep logs of unsucessful logins attempts. If someone would be looking through the logs, he can connect this particular login attempt with your another, successful attempt (i.e. via IP adress).

Though I do not think this is likely to happen, you can always change it be sure.

dominiczaq

Posted 2014-02-12T22:14:06.747

Reputation: 151

Asked: 2014-02-12T22:14:06.747

Viewed: 1 019 times

Active: 2015-11-12T21:08:49.210