[wp-hackers] Wordpress Event Viewer Plugin

Tue Apr 3 13:21:55 GMT 2007

I don't think the admin should know what the user's password is. Besides, in
a well-designed application, the admin can change the user's settings, etc.
without needing to know their password.

Having the password email to the admin, on the other hand, is kind of
needless, unless I'm misunderstanding something. The user has the "Forgot
Your Password?" option for a reason, and what if they just accidentally have
caps lock on? I don't know and wouldn't trust the admins of 98% of the sites
I sign up at -- forums, for example.

On 4/3/07, Computer Guru <computerguru at neosmart.net> wrote:
>
> +1
>
> I believe it was punBB that had this feature for a *forum* that would
> email
> the admin on failed login. As you can imagine, that's hundreds of logins a
> day, and a huge security breach.
>
> It's things like this that give off an aura of "non-professionalism" with
> otherwise excellent programs/scripts.
>
> Put it this way: does the admin benefit by knowing the *password* someone
> tried to login with?
>
> Computer Guru
> NeoSmart Technologies
> http://neosmart.net/blog/
>
>
> > -----Original Message-----
> > From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
> > bounces at lists.automattic.com] On Behalf Of Brian Layman
> > Sent: Tuesday, April 03, 2007 4:16 PM
> > To: wp-hackers at lists.automattic.com
> > Subject: RE: [wp-hackers] Wordpress Event Viewer Plugin
> >
> > A word of warning, please realize that some users will be highly
> > offended if
> > they find out failed passwords are logged in plain text anywhere in the
> > system.  You would be logging failed attempts by valid users as well as
> > fake
> > ones.
> >
> > There's a disconnect in peoples' minds between the fact that they are
> > sending a password to a webserver and the fact that it can be read by
> > the
> > people who run the site.  The thought that some sites are likely
> > created
> > just to harvest passwords is a bit bothersome, but I'm sure its true.
> > I
> > just hope it's not true of any really popular sites.
> >
> > I once saw someone write one of these plugins for another web app and
> > they
> > had it email the invalid login attempts (with mistyped passwords) to
> > the
> > admin email address.  Well the admin email address for this site
> > delivered a
> > list of about 20 people.  So those people all saw the mistyping and
> > pretty
> > much could guess at what the passwords really should have been.  That
> > included failed admin logins too  Also users tried alternative
> > passwords
> > that had been used at other sites and they thought they had used at
> > this
> > site too.  Since each admin had different privileges, this was a
> > complete
> > security breakdown.  The plugin was quickly turned off.
> >
> > There are some real-life issues here.  The passwords are stored in an
> > "encrypted" field in WordPress for a reason.  I'd also worry that if
> > you
> > included a failed password logging feature, someone would hack your
> > plugin
> > to simply always email the passwords out for every login.  That
> > wouldn't be
> > your responsibility, but the plugin is probably easier to decipher than
> > the
> > actual WP log in code is.  And it is something to consider.
> >
> > So, basically if I added a feature like that, I would make certain to
> > restrict log access to the admins and to use a nonce so that browsing
> > or
> > posting directly to the log viewing page is only allowed by those
> > admins.  I
> > would also make it optional and leave it off by default.  But that's
> > just
> > me.  Some might not have any problem at all with this.
> >
> > _______________________________________________
> > Brian Layman
> > http://www.TheCodeCave.com
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>