Password easily uncovered at login NOT secure

osm5 · 29 Jun 2012, 10:20 PM

Hey all,

I am not tech savvy, so bear with me. But this seems like a very undesirable feature in an email that touts security and spam protection: I typed the first letter of my password in the wrong field, in the username, and lo and behold my entire password filled into the username, completely readable.

How can I disable this from happening? Even though it's in the username field, it wouldn't take a genius to try this as my password in the password field.

osm5

drew · 29 Jun 2012, 11:56 PM

Is there some way to find out if this is related to the browser
or the server for the weblogin? I will try to test it in three different
browsers.

1. FireFox Browser
2. Opera Browser
3. Chromium Browser

Maybe I kindly ask other to do the same with the browsers you have
Internet Explorer and The one for Apple?

One obvious test is to compare if you have saved the password in your browser or not.
osm5 can you maybe delete your cache so it is a fresh boot into the browser and test again?

I am just a user at the forum there exists those that represent Fastmail while I don't
I just care about security on a naive level.

I've now tested in three different Browsers.

1. FireFox Browser (I have my user name and password saved in the browser
and when I write the first letter of the password in the user name box then
it shows my username and not my password. So that gives you some hint maybe? )

2. Opera Browser (Nothing did happen) I don't have it saved either so ...)
3. Chromium Browser (Nothing did happen) I don't have it saved either so ...)

To make a better test I would need to change my password and see if the result
is like you experienced but I am too lazy for that now and hope others or you
to do more testing first.

541 · 30 Jun 2012, 05:47 AM

On any website, if you enter your password in the username field, it will be visible for anyone looking at the screen. This isn't a flaw with the fastmail website or any others.

n5bb · 30 Jun 2012, 12:28 PM

Welcome to the EMD Forums, osm5!

What you are seeing is the "auto-complete" feature in your browser. You have it set to store the contents of fields and fill them in when you later visit that same website.

You can remove your existing passwords in your browser, then disable future password storage. You can also use private browsing to temporarily stop saving such information.

For Firefox, see:

Also see this Fastmail help page:

Account Access

Bill

drew · 30 Jun 2012, 03:12 PM

n5bb is right. I tested with another OS and
Fastmail does not do what you say.
It is the auto complete feature in the Browser that does it.
Look for turning it off in the Preferences.

placebo · 1 Jul 2012, 06:34 AM

Still, the browser shouldn't be filling in your password in the user name field. What has likely happened is that sometime in the past, you accidentally entered your password in the user name field, tried to log in, and your browser ended up saving the information. So if you like the autofill feature, it's not necessary to completely disable it. You just need to delete the saved entry that's causing this behavior.

n5bb · 1 Jul 2012, 10:35 AM

I agree with placebo's analysis.

drew · 1 Jul 2012, 02:50 PM

Placebo has the most logical answer. such has happen to me too.
Depending on what browser you have. Go to Edit then Preferences
then security and there you have a chance to edit your saved usernames
and passwords for sites.

29 Jun 2012, 10:20 PM	#1
osm5 Junior Member Join Date: Jun 2012 Posts: 2	Password easily uncovered at login NOT secure Hey all, I am not tech savvy, so bear with me. But this seems like a very undesirable feature in an email that touts security and spam protection: I typed the first letter of my password in the wrong field, in the username, and lo and behold my entire password filled into the username, completely readable. How can I disable this from happening? Even though it's in the username field, it wouldn't take a genius to try this as my password in the password field. osm5

29 Jun 2012, 11:56 PM	#2
drew The "e" in e-mail Join Date: Jan 2006 Posts: 2,626	Is there some way to find out if this is related to the browser or the server for the weblogin? I will try to test it in three different browsers. 1. FireFox Browser 2. Opera Browser 3. Chromium Browser Maybe I kindly ask other to do the same with the browsers you have Internet Explorer and The one for Apple? One obvious test is to compare if you have saved the password in your browser or not. osm5 can you maybe delete your cache so it is a fresh boot into the browser and test again? I am just a user at the forum there exists those that represent Fastmail while I don't I just care about security on a naive level. I've now tested in three different Browsers. 1. FireFox Browser (I have my user name and password saved in the browser and when I write the first letter of the password in the user name box then it shows my username and not my password. So that gives you some hint maybe? ) 2. Opera Browser (Nothing did happen) I don't have it saved either so ...) 3. Chromium Browser (Nothing did happen) I don't have it saved either so ...) To make a better test I would need to change my password and see if the result is like you experienced but I am too lazy for that now and hope others or you to do more testing first. Last edited by drew : 30 Jun 2012 at 12:13 AM.

30 Jun 2012, 12:28 PM	#4
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,930	Welcome to the EMD Forums, osm5! What you are seeing is the "auto-complete" feature in your browser. You have it set to store the contents of fields and fill them in when you later visit that same website. You can remove your existing passwords in your browser, then disable future password storage. You can also use private browsing to temporarily stop saving such information. For Firefox, see: Private Browsing Give certain websites the ability to store passwords, set cookies and more Also see this Fastmail help page: Account Access Bill

30 Jun 2012, 05:47 AM	#3
541 Essential Contributor Join Date: Aug 2001 Posts: 277	On any website, if you enter your password in the username field, it will be visible for anyone looking at the screen. This isn't a flaw with the fastmail website or any others.

30 Jun 2012, 03:12 PM	#5
drew The "e" in e-mail Join Date: Jan 2006 Posts: 2,626	n5bb is right. I tested with another OS and Fastmail does not do what you say. It is the auto complete feature in the Browser that does it. Look for turning it off in the Preferences.

1 Jul 2012, 06:34 AM	#6
placebo Cornerstone of the Community Join Date: Jun 2004 Posts: 743	Still, the browser shouldn't be filling in your password in the user name field. What has likely happened is that sometime in the past, you accidentally entered your password in the user name field, tried to log in, and your browser ended up saving the information. So if you like the autofill feature, it's not necessary to completely disable it. You just need to delete the saved entry that's causing this behavior.

1 Jul 2012, 10:35 AM	#7
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,930	I agree with placebo's analysis.

1 Jul 2012, 02:50 PM	#8
drew The "e" in e-mail Join Date: Jan 2006 Posts: 2,626	Placebo has the most logical answer. such has happen to me too. Depending on what browser you have. Go to Edit then Preferences then security and there you have a chance to edit your saved usernames and passwords for sites.