Question about failed logins

  • Resolved tomdkat

    (@tomdkat)


    1 day, 12 hours ago

    Hi! I’m a long time user of this plugin. YEARS ago, I actually patched my installed version to display the password that was used for a failed login attempt. I found this INSTRUMENTAL in seeing what kinds of passwords bad actors were using so I could better make sure the passwords our important users had were “safe”, in terms of length and making sure the actual password wasn’t close to what the bad actors were using.

    I updated the plugin TODAY, which means my changes were wiped out, which is perfectly fine. My question is: would it be possible to add the ability to show the actual password that was used for a failed login attempt? My patch didn’t work for brute force login attempts using xmlrc (I think that’s what was used) but for login attempts via the normal login script were being logged, in the database, so I could show them with the other login attempt information.

    Thanks for taking over the maintenance of this great plugin!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Joris Le Blansch

    (@apiosys)

    22 hours, 57 minutes ago

    Thanks for your feedback and support. Your idea indeed sounds interesting for audit purposes. However, this would assume, you will treat all passwords as plaintext since at the moment of login, you don’t know yet if it will fail or pass. Also failures are not necessarily attackers but can be your own users for which you would expose passwords. That is far from best practice and not security by design.

    Storing plaintext passwords of failed attempts creates real exposure – both the privacy risk to legitimate users who simply mistyped, and the security risk if the database is ever accessed by someone it shouldn’t be. The diagnostic value doesn’t justify it IMHO.

    When I took over the plugin – since I used it myself for years also – we had severe security issues in the code and even a CVE against it. That is now all solved, and we should endeavor to keep the code clean and secure.

    Happy to discuss other improvement ideas. You can also contribute to the code directly here: https://github.com/apio-sys/simple-login-log .

    Thread Starter tomdkat

    (@tomdkat)

    20 hours, 29 minutes ago

    Hi! Thanks for the response! It’s been sooo long now, I forget the details of my change. I might have added a column to the failed login table to store the failed password or otherwise grabbed it from the same spot where the login log was getting the data it did store. Regardless, it I think it was being stored in plain text.

    Your points about security and spot on, but there’s got to be a way to what the failed attempted passwords were. I mean WordPress rejected the password and there’s just no record of what that “bad” password was. Your point about the database being accessed by an unauthorized party is completely valid. If database access were actually achieved, they would have access to *all* the passwords and then we have a completely different problem to deal with. 🙂 lol

    In any event, the only reason I mention this is because I noticed this plugin was recently updated and I had actually completely forgotten about it, until this update. In fact, when I saw it was updated, I was concerned that a “bad actor” had taken control of the plugin and well, you can imagine the rest. 🙂

    Anyway, thanks for taking the time to reply. 🙂

    Plugin Author Joris Le Blansch

    (@apiosys)

    17 hours, 27 minutes ago

    You’re welcome & kind regards,

    Joris.

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.