This is a read-only archive!

Passwords in log files = bad

In Linux when I use SSH I usually pass the host and port and username on the command line and then type the password when prompted. (In those rare cases I don't use certificates to log in without a password.) In Windows, PuTTY makes you pick a host and port and then prompts you for the username AND password.

This leads to unpleasant results. I'm so conditioned to open SSH and type my password at the prompt and hit Enter that I often end up typing my password as my username in PuTTY. Bad.

I've sometimes opened webpages that have some stupid Javascript bullcrap that tries to auto-focus the username field in a login form. But if you're a fast typist (and mouse-ist) like I am, you can focus the field, type your username, and hit tab to get to the password field before the long-loading Javascript bloat has a time to load and run. Which can result in auto-re-focusing the username field, which if it happens at just the right instant, results in my typing the password into it and pounding Enter before I have a chance to notice what's happened. Bad bad bad.

I use a computer far too often to have time too read every prompt, which leads to bad things. Anyone who's used to flying around an interface at light-speed by instinct and repeated learned behavior has experienced this kind of thing I'm sure.

This is horrendously bad because these programs often log the usernames of login attempts in plaintext in logs that lots of potentially evil people have the ability to read. The logs don't usually log the passwords of login attempts, but if you type a password AS a username, oops, you're screwed. Thankfully I'm root on most or all of the machines I ever SSH to, and I can go into /var/log and erase my mistake from the logs before anyone can see. But that doesn't help for web pages I don't know. And I wonder how often this kind of thing happens to other people. I wonder how many people who aren't familiar with computers accidentally send their password as their username to a bunch of websites.

After all the effort we go to to try to secure computer applications, these kinds of stupid human factors can still so easily ruin everything.

May 08, 2008 @ 12:31 PM PDT
Cateogory: Linux

3 Comments

Steve Dibb
Quoth Steve Dibb on May 08, 2008 @ 2:02 PM PDT

I would be much more worried about websites that store the passwords in plain text in the database, which, from my experience in working in the field, is the sad rule and not the exception.

Jinks
Quoth Jinks on May 08, 2008 @ 5:59 PM PDT

Putty copes perfectly well with the user@host syntax in the host field. That, combined with a few saved sessions and you're just a doubleclick away from your password prompt.

Regarding the stupid user enters password as username: That's how we got the Internet access password back in High School :)

m4gus
Quoth m4gus on June 25, 2009 @ 2:39 AM PDT

By the way under Connection-> Data you can set an auto-login username for PuTTy if you wish.