privacy issue: login failed password should NOT be shown!

  • Resolved crysman

    (@crysman)


    10 years, 8 months ago

    When wp_login_failed option is enabled, the password entered is shown to admins:

    <some_username> tried to log in to <some_WP_site>
    Password tried aaa
    IP some.ip.address | 12.34.567.89
    User agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0

    I do not like it. Admins should NOT see what users entered – this is Big Brother. They should see there was a fail on login due to incorrect password, indeed, but not the password itself.

    I am suggesting add an option (checkbox) do not log the password entered or something like that.

    http://wordpress.org/plugins/threewp-activity-monitor/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Ov3rfly

    (@ov3rfly)

    10 years, 8 months ago

    See section “Misc” in ThreeWP Activity Monitor “Settings” tab…

    You could set “Password length” e.g. to “1”, so failed logins are logged but you only see the first character.

    Thread Starter crysman

    (@crysman)

    10 years, 8 months ago

    OK, haven’t seen that option in “Misc”… thanks.

    In any event, I would add this hint to the relevant place in the “Activities” tab. Right now, there is this text:

    Logs the password the user tried to login with.
    Logs sensitive information.

    There could be something like this instead:

    Logs the password the user tried to login with.
    The logged password length may be set in “Settings -> Misc”.
    Logs sensitive information.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘privacy issue: login failed password should NOT be shown!’ is closed to new replies.