> Well, on more than a few occasions, I've observed cases >where users have accidentally entered their password into the >"username" field (either alone, or with the username preprended). >Of course, the login attempt fails and, more to the point, the >invalid "user name" is logged. The users almost immediately >realize their mistakes, and then login correctly. Unfortunately, >most users don't realize that their password has just been logged >as an invalid user name and their logged subsequent successful login >makes it rather trivial to associate that password with the actual >username of the user.
Where's this log? Wherever it is, it's on a system that also has their actual password. If I wanted to reverse engineer passwords, this doesn't strike me as a particularly efficient way to do so. R's, John _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
