(Unsure of whether this was generally aimed to all, or a subset of more seasoned contributors - however my thoughts are below) In the case of the user entering their password in the correct field, it would be masked in the UI. In the case of the user entering their password in the username field, it would be displayed in plain text in the UI. I would suggest that this is feedback enough to enable the user to self correct. Taking the issue at face value - with a user’s credential making it into the logs, what would one do with such information? How would an attacker take the credential and utilise it - given they don’t know what user it was meant for? Perhaps an attacker could iterate over the users and try the password on each. Perhaps an attacker might see a subsequent successful login showing the actual user name (I’m not sure if that’s logged) - which would narrow the potential users to try in a lightly used system. Finally, what privileges would someone who can access the logs have? Arguably they’d have escalated administrative privileges and thus be in a position of trust already. Personally, I wouldn’t consider this a notable vector within my threat model. However, I’m only an interested party in the field of security, rather than an accredited security professional. — Dan Hardiker | Adaptavist dhardiker(a)adaptavist.com Winners of the Atlassian President's Award for Technical Excellence - http://bit.ly/techexc <http://bit.ly/techexc> Adaptavist <http://adaptavist.com/>;, Waterside, Unit 2, 44-48 Wharf Road, London, N1 7UX, United Kingdom. Registered in England and Wales #5456785.