What are the security implications of having submitted password in username field?
Let's say I typed my password into the username textbox of a frequently-visited website (https of course) and hit enter before I noticed what I was doing.
Is my password now sitting in plaintext in a log file somewhere? How could my mistake be exploited by a crafty miscreant? Help me understand the factual security implications regardless of the likelihood of it actually happening.
It depends on configuration of authentication system of the site. If it was setup to log any attempts - than yes, it is now in the log (text file or database) in plain text. It could look like that:
12-Feb-2014 12:00:00 AM: Unsuccessful login attempt user (YOUR_PASSWORD_HERE) from (YOUR_IP_HERE);
or similar.
It is still true that password will not be accessible for regular users. Only for those who have access to log files.
What consequences it implies?
- If server would be compromised - than hacker theoretically will have your plain text password.
- Site's admin could routinely go thru the log files and accidentally find your password. He can than find what IP address this record came from and thus he can theoretically find what is your username and e-mail (because he has access to the database).
So, if you have same email/username/password on other resources - than change it immediately. Because there are chances that your password will be found. Logs can remain on servers for years.
Just as you said, webaplications tend to keep logs of unsucessful logins attempts. If someone would be looking through the logs, he can connect this particular login attempt with your another, successful attempt (i.e. via IP adress).
Though I do not think this is likely to happen, you can always change it be sure.