Potential for password exposure FYI

Ice.SysActivityLog keeps records of failed logon attempts. The password field is not recorded, but the username field is always recorded as clear text when there’s a failed logon attempt, whether the username exists or not. A common logon failure mode is when a user accidentally types their password in to the username field. That’s good enough by itself to match up to a user, even if it doesn’t clearly adjoin another logon failure where the username was recorded.

Yes, this is a big problem with basic authentication in general. Consider using Azure AD or Epicor Identity to prevent this behavior.

1 Like