Password Revealed Inside App
» Email someone you know about this article.
Sometimes I slip up and type a password into the username field. I discovered that one program kept all the usernames that got entered. Passwords often don’t look like usernames. Keeping usernames would thus allow discovery of a user’s password.
I think it was security software, but I don’t remember the likely rationale for it to keep usernames.
This was disturbing. (I no longer have the software.) I don’t know if other programs do this.
You could test for this by searching the program’s files for the password string. This depends on the storage not being encrypted or compressed. Of course, searching can reveal the password, which presumably is your own. You could search for only part of the password. Hopefully, the part you search for isn’t itself common. Either way, don’t be surprised if you get false positives. You may get a result that you dig into and find is irrelevant.
You could intentionally type a fake username into the login page, make up any password, and try to log in. You’ll be rejected, but try anyway. Reboot, to force the memory’s contents to be saved. Then, repeat with a new fake username. Reboot. Next, search all of the program’s files for those fake entries to see where they’re stored. Since you did it twice, you can see the order of the fake usernames, and that’s a clue to which way to look for username errors. Then, you could use a file editor or disk editor to read the one file where the later fake username is stored for anything interesting nearby, looking in only one direction. That way, you’d have a lower risk of revealing the errant password to anyone else.
