> Is it really a security risk, though?  Remember that the 
> password displayed here
> did *not* work (otherwise, the user would have been logged 
> in), so a potential
> attacker is not learning anything new.  After all, they can 
> just try various
> username and password combinations on your login screen, and 
> find out exactly the
> same thing, even if the password text were not echoed.
> 
I don't understand, seems to me the attacker is learning something. 
Two likely reasons for a failed login are: 
- simple typo; in this case trying a few variations or in many cases 
correcting the spelling will get the attacker in.
- the user has multiple passwords and typed the wrong one. This 
might compromise other systems

Joerg

Reply via email to