Why are passwords stored in clear text in the exception.log? This is a security risk. How can this be turned off? Passwords should be hashed in the log if visible at all.
Here is a sample line in the log where this occurs:
/var/www/...../shop/app/code/core/Mage/Customer/controllers/AccountController.php(154): Mage_Customer_Model_Session->login('email@example.com', 'clear text password')#18
Solved! Go to Solution.
Is not actually stored, rather the intent is to print the exception trace and in this case the classes chain with login method that receives two parameters email and password. A question would be: why are you getting the exception on login? Also, if you would like to avoid the password exposed in logs (case: no need to know credentials for debugging) then you can override the file to remove the printed exception specific for this case - assumed Customer Module -> controllers -> AccountController->loginPostAction and comment Mage::logException(..) in the catch statement.