Mar 24, 2023 - Technology

Human error is threatening Okta passwords, researchers warn

Illustration of an opened briefcase revealing glowing asterisks inside

Illustration: Annelise Capossela/Axios

A simple error where Okta users are incorrectly typing their passwords into the username field during login could be leaving them exposed to future attacks.

Driving the news: Researchers at cloud security firm Mitiga found in a report Thursday that identity management company Okta records the information shared during failed login attempts in easily accessible plain text.

  • Okta provides password management and employee access tools across corporate networks for more than 14,000 global customers. Researchers found that the design of Okta's login screen is confusing, making it likely some users will type their password into the username field.
  • The information in those failed login attempts is then stored in audit logs that track user behavior on a network and could be shared with Okta customers' third-party security vendors.
  • "This knowledge can then allow adversaries to compromise Okta user accounts and access any resources or applications that they may have access to, effectively expanding the blast radius of the attack," the report said.

Why it matters: Passwords are already a huge target for malicious hackers looking to gain access to sensitive online data.

  • Identity management tools like Okta are often seen as a line of defense to make obtaining those passwords more difficult.

Yes, but: It would take someone gaining access to internal activity logs and combing through them to find passwords entered in the username field for this flaw to lead to an attack.

The other side: Okta told Mitiga that saving passwords in plain text is "expected behavior when users mistakenly enter their password in the username field," according to the report.

  • "These logs are only accessible to Okta administrators, who are the most privileged users in Okta and should be trusted not to engage in malicious activities," the company added.

Sign up for Axios’ cybersecurity newsletter Codebook here

Go deeper