On Sun, Jan 01, 2012 at 03:16:39AM -0000, John Levine wrote: > > Well, on more than a few occasions, I've observed cases > >where users have accidentally entered their password into the > >"username" field (either alone, or with the username preprended). > >Of course, the login attempt fails and, more to the point, the > >invalid "user name" is logged. The users almost immediately > >realize their mistakes, and then login correctly. Unfortunately, > >most users don't realize that their password has just been logged > >as an invalid user name and their logged subsequent successful login > >makes it rather trivial to associate that password with the actual > >username of the user. > > Where's this log? Wherever it is, it's on a system that also has their > actual password. > > If I wanted to reverse engineer passwords, this doesn't strike me as a > particularly efficient way to do so. > > R's, > John
Well, the log is presumedly unencrypted on the same machine that has a *hash* of their actual password. It takes a lot longer to crack against the hashed password list than it does to scan the log for these type of log messages, which they can then check against the hashed password database quickly and easily. I agree with Kevin that this scenario isn't enough justification for the overhead and user annoyance that is forced password rotation, but it's not an unreasonable scenario to want to mitigate. Some web servers even make it easy to accidentally export the logs, since often HTTP is the access method of choice for the people who actually should be able to review the logs... -Craig _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
