Is it common practice to log POST parameters? I've never seen such behavior outside of development environments, but that might be because I've never run a very large web application.<p><pre><code> an unscrupulous systems administrator [...] could determine that my password is Th1s1sMyP@ssword just by looking at the logs.
</code></pre>
Couldn't the systems administrator simply change the log code to not filter passwords, or to email the password on each successful login attempt? That seems more reliable and productive than waiting for a user to click the wrong input box.
By this logic ("an unscrupulous sysadmin could pull my password out of the logs"), surely the author should be changing all of their passwords after every attempt they make to log in to anything using the password field? I don't get it.
This is why I prefix my password with several z's. It makes typing the password feel different than typing the username, and since this change, I've always managed to catch myself quickly enough.
If the sysadmin is truly unscrupulous, they might be flat out writing all successful passwords to a database.<p>Never lose sight of the fact that anything you send online can be stored by the site owner. Make your own judgments on how you react to that, but never forget.
That could all be mute if the service doesn't even encrypt passwords, doesn't use one way hashing/encryption, but still assumes the servers are insecure.
Sounds like the problem is more that the same password is used in multiple places. If you use the same password on a bunch of websites you can be almost certain that it could be easily compromised somewhere along the line.<p>If you don't use a password manager, it is extremely difficult to not reuse passwords and it's just not going to happen for the lay person. Here's the advice that I give to friends:<p>1. At the very least, you should have a secure password for only very reputable websites that control valuable information.<p>2. Use a unique password on your email account.<p>3. Use another password to sites where security isn't that important.
If the attacker has obtained access to the server, he can simply modify the code to not filter passwords from the log file anymore. I don't see how this is a surprising problem.