> Is it really a security risk, though? Remember that the
> password displayed here
> did *not* work (otherwise, the user would have been logged
> in), so a potential
> attacker is not learning anything new. After all, they can
> just try various
> username and password combinations on your login screen, and
> find out exactly the
> same thing, even if the password text were not echoed.
>
I don't understand, seems to me the attacker is learning something.
Two likely reasons for a failed login are:
- simple typo; in this case trying a few variations or in many cases
correcting the spelling will get the attacker in.
- the user has multiple passwords and typed the wrong one. This
might compromise other systems
Joerg