Last modified: 2007-03-20 05:44:28 UTC
Hi , Trying to log in this morning I have found that my computer wanted to log in under an unknown name. The user's name plus his password were clearly on my log on field. After checking my system for viruses and similar I found a Cookie from Wikipedia that contained somebody else's data and password and, sorry to say, was so amateurish encoded that it took me less than a minute to see the other users password in clear. Besides adressing this problem you might want to contact User:Rough to advise him that his password has been compromised. This is my at-home computer and has not been used by anyone but me for at least a year. Besides my log-ons are slightly harder to crack than yours. Take care Alf
Note that the cookies do not include passwords.
(In reply to comment #1) > Note that the cookies do not include passwords. Maybe, than please explain why the password was in my log-in box and could be decoded perfectly. You may say I am crazy but nobody except me has used this computer for at least one year
It's possible that someone used the computer and allowed the browser to save password information; however, MediaWiki stores username, user ID, and a session hash. None of these should include plaintext password information.
The only time that MediaWiki fills in the password field is if you provide it; it *shouldn't* ever turn up in a cookie, but I suppose hypothetically if you set such a cookie there's a chance it might somehow sneak in there. On the other hand, many browsers *do* have features to save fields and pre-fill them, including passwords. You should double-check in your browser's setup that that is the problem. We have occasionally had odd problems with people getting other peoples' login _sessions_ stuck in, probably due to problems with the proxy caching which are hopefully resolved. That, again, should never show you a password.
