Support

Admin Tools

#41048 Failed login passwords

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
5
PHP version
8.1.29
Admin Tools version
7.6

Latest post by nicholas on Thursday, 29 August 2024 00:27 CDT

Wednesday, 28 August 2024 13:16 CDT

Bo

In older versions of AdminTools I could see what passwords were attempted on failed logins Security Exceptions Log. Now I can see the username only and no password can be seen in current versions. I found a bulletin from you from May 2018 where you said this feature has been removed, which I can understand. I currently have a very specific use-case where I need to see those plain text password attempts. Is there anyway to do this even in a log file or is it completely unavailable now?

Thursday, 29 August 2024 00:27 CDT

nicholas

It is now completely unavailable.

The fact remains that this feature was a security risk as it would record people's passwords -- either a "quite close but not close enough" password, or a password they use somewhere else -- in plaintext. If this information was exfiltrated due to a vulnerability in an unrelated piece of software it could seriously compromise the security of that user.

I thought about making it available if the username didn't match, but this was equally problematic since some folks either mistyped their username, or tried a number of possible usernames with their "usual" passwords (a terrible security practice but, well, humans are humans).

I don't have a good solution for your use case. Technically, I could do something about it, but it would be borderline unusable. I could let you provide a GPG public key to encrypt this information, so that you can only decrypt it with a private key on your own computer. The problem is that a. this requires the gnupg PHP extension which is almost never available on commercial hosting and b. the setup and use of such a feature is well beyond what most people can or are willing to do.

If you are interested in something like that, please let me know. I might be able to come up with a custom plugin for you.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!