[cryptography] Password non-similarity?

John Levine johnl at iecc.com
Sat Dec 31 22:16:39 EST 2011


> Well, on more than a few occasions, I've observed cases
>where users have accidentally entered their password into the
>"username" field (either alone, or with the username preprended).
>Of course, the login attempt fails and, more to the point, the
>invalid "user name" is logged. The users almost immediately
>realize their mistakes, and then login correctly. Unfortunately,
>most users don't realize that their password has just been logged
>as an invalid user name and their logged subsequent successful login
>makes it rather trivial to associate that password with the actual
>username of the user.

Where's this log?  Wherever it is, it's on a system that also has their
actual password.

If I wanted to reverse engineer passwords, this doesn't strike me as a
particularly efficient way to do so.

R's,
John





More information about the cryptography mailing list