[Plugin: ThreeWP Activity Monitor] Password tried == Too Much Information

  • Michael

    (@eizzumdm)


    13 years ago

    This is a feature request for a future version of ThreeWP Activity Monitor. I would love to see the ability to disable the logging and display of failed passwords, but still retain the failed login activity item.

    I see where you can disable “wp_login_failed”; however, knowing that a user from an Eastern European IP address made multiple attempts to log in as user “wordpress” is valuable info. Knowing what password they tried is more info than I need, especially, with legitimate users.

    On our network, only Super Admins have permission to see the activity streams, but that still gives the Super Admins too much information about the users who are trusting us with their log-in info.

    Very often failed password attempts are legitimate passwords for other systems (I personally have at least 5 passwords in my mental keychain), or they might be just one typo away from the real password. We also have our login system tied into our LDAP authorization, so when the LDAP server is temporarily unreachable, that login attempt is logged as a failed attempt. Then I, as a super admin, now have access to that user’s password for his/her primary work account.

    Michael

    https://www.ads-software.com/extend/plugins/threewp-activity-monitor/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Ov3rfly

    (@ov3rfly)

    Had the same problem. Wanted to see failed logins, but not the password.

    Solved it with a small patch in file ThreeWP_Activity_Monitor.php v2.3

    Old line 571:

    $this->_( 'Password tried' ) => esc_html( $_POST['pwd'] ),

    New line 571:

    $this->_( 'Password tried' ) => esc_html( '[n/a]' ),

    Thread Starter Michael

    (@eizzumdm)

    Thank you for pinpointing the line I would need to change, Ov3rfly.

    I will wait a few days to see if there is any response from the plugin author. Then I will probably see if I can write a mini plugin to remove the “wp_login_failed” filter and add a function with the patched value.

    Plugin Author edward mindreantre

    (@edward-mindreantre)

    I guess there should be an option for this..

    I’ll have a look at it for v2.5

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Plugin: ThreeWP Activity Monitor] Password tried == Too Much Information’ is closed to new replies.