Login password showing up

  • Resolved frobertgraphiste

    (@frobertgraphiste)


    8 months ago

    When a login attempt is falsely registered as spam, the user’s password show up in the spam list without hashing in the “pwd” value. This is really bad for security. I don’t want admins to be able to see another admin’s password.

    No mather the reason why the login was registered as spam, it should never show the password.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Matthias Nordwig

    (@matthiasnordwig)

    Hi.

    You have a serious issue!

    • Quick fix for your problem: Stop logging spam messages at all
    • Possible change for the plugin – Would that solve you issue?:
      • I could implement a further option that stops logging any login-tries, even those which are classified as spam. This way, even brute-force attacks and may not become visible
      • I could implement a further option to define peers of site / field that shall never be logged. This way you are completely free to define that on your own (my favorite)
    • Background on “Why so complicated?”:
      • “pwd” is not the only field name for the password field on the login page. The field name may be changed. Furthermore even on other pages of your website several fields with different field names may contain passwords – i.e. such as plugins to manage B2B-customer-logins. Therefore the plugin is not using field name “pwd” to cut out password fields
      • Currently no method exists to identify field types – such as “password” – on the backend for sure. Therefore the plugin instead memorizes all field names that belong to password-fields on the client-site via JavaScript and cuts them out from saving on the backend. If for any reason JavaScript is either crashing or not ran at all to things will happen
        • This password-memorization fails
        • The login-try is treated as pam

    I hope I can help you and I am happy for feedback on my suggested plugin-change.

    Cheers Matthias

    Plugin Author Matthias Nordwig

    (@matthiasnordwig)

    Hi again.

    For the most current release I have added an option to skip fields explicitly from being saved.

    Thanks for your hint!

    Cheers, Matthias

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Login password showing up’ is closed to new replies.