What are the Security Implications if a Password is Submitted in the Username Field?

How-To Geek

By Akemi Iwaya

Published Feb 18, 2014

Suppose you are having a bad day and in a hurry to login to a favorite website, then accidentally submit your password in the username text box instead.

Quick Links

The Question

The Answer

Suppose you are having a bad day and in a hurry to login to a favorite website, then accidentally submit your password in the username text box instead. Should you be worried and change your password for that website, or is it just groundless fear?

Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.

The Question

SuperUser reader agentnega wants to know what the dangers of typing one's password into the username text box and accidentally submitting it could be:

Let's say I typed my password into the username text box of a frequently-visited website (https of course) and hit enter before I noticed what I was doing.

Is my password now sitting in plain text in a log file somewhere? How could my mistake be exploited by a crafty miscreant? Help me understand the actual security implications regardless of the likelihood of it actually happening.

Would this actually be something to be worried about, or could you look at this as a simple mistake and forget about it?

The Answer

SuperUser contributors Nikolay and GregD have the answer for us. First up, Nikolay:

It depends on the configuration of the authentication system for the website. If it was setup to log any attempts, then yes, it is now in the log (text file or database) in plain text. It could look like this:

12-Feb-2014 12:00:00 AM: Unsuccessful login attempt user (YOUR_PASSSORD_HERE) from (YOUR_IP_HERE);

or similar.

It is still true that a password will not be accessible for regular users, only for those who have access to log files.

What consequences does it imply?

If the server was ever compromised, then theoretically, the hacker would have your plain text password.

The website's administrator could routinely go through the log files and accidentally find your password. He can then find the IP address this record came from, and thus he can theoretically find out what your username and e-mail are (because he has access to the database).

So, if you use the same e-mail/username/password on other websites, then change it immediately. Because there is always a chance that your password will be found out. Logs can remain on servers for years.

Followed by the answer from GregD:

Just as you said, web applications tend to keep logs of unsuccessful login attempts. If someone were to look through the logs, he could connect this particular login attempt with one of your successful attempts (i.e. via IP address).

Though I do not think this is likely to happen, you can always change it be sure.

With the constant barrage of data breaches we read and hear about these days, it would be better to change the password for the website in question (and any others with the same password) for peace of mind. It is better to be safe than sorry when it comes to the security of your online accounts!

Have something to add to the explanation? Sound off in the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.