Home » I accidentally typed my password into the login field, is it still secure?

I accidentally typed my password into the login field, is it still secure?

Solutons:


The concern is whether your password is recorded in the authentication log.

If you’re logging in on a text console under Linux, and you pressed Ctrl+C at the password prompt, then no log entry is generated. At least, this is true for Ubuntu 14.04 or Debian jessie with SysVinit, and probably for other Linux distributions; I haven’t checked whether this is still the case on a system with Systemd. Pressing Ctrl+C kills the login process before it generates any log entry. So you’re safe.

On the other hand, if you actually made a login attempt, which happens if you pressed Enter or Ctrl+D at the password prompt, then the username you entered appears in plain text in the authentication logs. All login failures are logged; the log entry contains the account name, but never includes anything about the password (just the fact that the password was incorrect).

You can check by reviewing the authentication logs. On Ubuntu 14.04 or Debian jessie with SysVinit, the authentication logs are in /var/log/auth.log.

If this is a machine under your exclusive control, and it doesn’t log remotely, and the log file hasn’t been backed up yet, and you’re willing and able to edit the log file without breaking anything, then edit the log file to remove the password.

If your password is recorded in the system logs, you should consider it compromised and you need to change it. Logs might leak for all kinds of reasons: backups, requests for assistance… Even if you’re the only user on this machine, don’t risk it.

Note: I haven’t checked whether Ubuntu 16.04 works differently. This answer may not be generalizable to all Unix variants and is certainly not generalizable to all login methods. For example OpenSSH does log the username even if you press Ctrl+C at the password prompt (before it shows the password prompt, in fact).

In your case, you are safe – you’ve typed in a password and cancelled out of it. A password typed into login prompt followed by wrong password will be considered failed authentication and is partially recorded to btmp log. For tty console that’s however alright.

$ sudo lastb                                                                   
[sudo] password for xieerqi: 
UNKNOWN  tty1                          Mon Apr 25 22:14 - 22:14  (00:00)    

The “accidentally” typed password was recorded as UNKNOWN, so all good here. However, the failed authentications at the GUI login screen do show failed login entries unobfuscated

$ sudo lastb                                                                   
[sudo] password for xieerqi: 
hellowor :1           :1               Mon Apr 25 22:17 - 22:17  (00:00)    
UNKNOWN  tty1                          Mon Apr 25 22:14 - 22:14  (00:00)    

Is there anything good about that ? Well . . .The attacker would have to have access to your system in the first place, even more so – he/she would have to have root access in order to read the btmp log. Which also means for a single user computer – that’s equivalent to having your password stolen already so that entry is of no use to the attacker anyway if they know your password. The password in the entry, you can deduce already, has only partially been recorded, but that gives quite a fair advantage for an attacker, so there’s nothing good about that part

Should you change the password ? Probably, just to be 100% sure.On the other hand, an attacker would have to have access to your btmp log which is the same as having access to /etc/shadow , so there’s no real advantage to it .

Side note:All the output from my Ubuntu 14.04

I think @Gilles answer is great. however i wanted to add emphasis by showing a bullet point of his technical points:

  1. if you logged in via text/console (i.e. not GUI) then…
  2. if you are on specific distro then…
  3. if you have sysvinit instead of systemd…
  4. if you pressed ctrl-c then…
  5. if you actually made a login attempt (pressed ctrl-d or pressed enter) then…
  6. if you have authentication logs enabled then…
  7. if your machine is offline and you are the only one with access to it then…
  8. if the machine is configured to have log authentication remotely then…
  9. if the machine is configured to have backups then…
  10. if the machine’s scheduled backup has run or not then…
  11. if you know how to edit the logfile and ensure the previous version isn’t saved somehow then…
  12. if you are logging in via ssh then…

That means there are 12 places where things could go wrong (probably more than 12). I think changing my password is at least 10x faster than exhaustively checking all 12 places[1]. Additionally changing your password means you have piece of mind (maybe you exhaustively checked… but missed something).

[1] and ensure that you checked correctly (i.e. finding logs, finding backup schedules, finding out how remote logging works, researching what distro/systemd-version i have AND researching how authentication logging works for that distro/systemd-version, researching what my corporate logging implementation is, researching what my corporate backup implementation is, etc etc).

p.s. one last thing. if you are on a properly managed linux machine (i.e. corporate, academic, cloud, etc) then at least one of those bullet points is true. so i would say definitely change your password.

Related Solutions

Joining bash arguments into single string with spaces

[*] I believe that this does what you want. It will put all the arguments in one string, separated by spaces, with single quotes around all: str="'$*'" $* produces all the scripts arguments separated by the first character of $IFS which, by default, is a space....

AddTransient, AddScoped and AddSingleton Services Differences

TL;DR Transient objects are always different; a new instance is provided to every controller and every service. Scoped objects are the same within a request, but different across different requests. Singleton objects are the same for every object and every...

How to download package not install it with apt-get command?

Use --download-only: sudo apt-get install --download-only pppoe This will download pppoe and any dependencies you need, and place them in /var/cache/apt/archives. That way a subsequent apt-get install pppoe will be able to complete without any extra downloads....

What defines the maximum size for a command single argument?

Answers Definitely not a bug. The parameter which defines the maximum size for one argument is MAX_ARG_STRLEN. There is no documentation for this parameter other than the comments in binfmts.h: /* * These are the maximum length and maximum number of strings...

Bulk rename, change prefix

I'd say the simplest it to just use the rename command which is common on many Linux distributions. There are two common versions of this command so check its man page to find which one you have: ## rename from Perl (common in Debian systems -- Ubuntu, Mint,...

Output from ls has newlines but displays on a single line. Why?

When you pipe the output, ls acts differently. This fact is hidden away in the info documentation: If standard output is a terminal, the output is in columns (sorted vertically) and control characters are output as question marks; otherwise, the output is...

mv: Move file only if destination does not exist

mv -vn file1 file2. This command will do what you want. You can skip -v if you want. -v makes it verbose - mv will tell you that it moved file if it moves it(useful, since there is possibility that file will not be moved) -n moves only if file2 does not exist....

Is it possible to store and query JSON in SQLite?

SQLite 3.9 introduced a new extension (JSON1) that allows you to easily work with JSON data . Also, it introduced support for indexes on expressions, which (in my understanding) should allow you to define indexes on your JSON data as well. PostgreSQL has some...

Combining tail && journalctl

You could use: journalctl -u service-name -f -f, --follow Show only the most recent journal entries, and continuously print new entries as they are appended to the journal. Here I've added "service-name" to distinguish this answer from others; you substitute...

how can shellshock be exploited over SSH?

One example where this can be exploited is on servers with an authorized_keys forced command. When adding an entry to ~/.ssh/authorized_keys, you can prefix the line with command="foo" to force foo to be run any time that ssh public key is used. With this...

Why doesn’t the tilde (~) expand inside double quotes?

The reason, because inside double quotes, tilde ~ has no special meaning, it's treated as literal. POSIX defines Double-Quotes as: Enclosing characters in double-quotes ( "" ) shall preserve the literal value of all characters within the double-quotes, with the...

What is GNU Info for?

GNU Info was designed to offer documentation that was comprehensive, hyperlinked, and possible to output to multiple formats. Man pages were available, and they were great at providing printed output. However, they were designed such that each man page had a...

Set systemd service to execute after fstab mount

a CIFS network location is mounted via /etc/fstab to /mnt/ on boot-up. No, it is not. Get this right, and the rest falls into place naturally. The mount is handled by a (generated) systemd mount unit that will be named something like mnt-wibble.mount. You can...

Merge two video clips into one, placing them next to each other

To be honest, using the accepted answer resulted in a lot of dropped frames for me. However, using the hstack filter_complex produced perfectly fluid output: ffmpeg -i left.mp4 -i right.mp4 -filter_complex hstack output.mp4 ffmpeg -i input1.mp4 -i input2.mp4...

How portable are /dev/stdin, /dev/stdout and /dev/stderr?

It's been available on Linux back into its prehistory. It is not POSIX, although many actual shells (including AT&T ksh and bash) will simulate it if it's not present in the OS; note that this simulation only works at the shell level (i.e. redirection or...

How can I increase the number of inodes in an ext4 filesystem?

It seems that you have a lot more files than normal expectation. I don't know whether there is a solution to change the inode table size dynamically. I'm afraid that you need to back-up your data, and create new filesystem, and restore your data. To create new...

Why doesn’t cp have a progress bar like wget?

The tradition in unix tools is to display messages only if something goes wrong. I think this is both for design and practical reasons. The design is intended to make it obvious when something goes wrong: you get an error message, and it's not drowned in...