3

I saw the following question before: Is it legal to log passwords from failed logins?

I think it raises another question: How do I log failed attempted passwords?

That seems very useful when I need to check if someone is socially engineering his way into someone's else's account.

Community
  • 1
vianna77
  • 139
  • 5
  • 2
    Why do you need to log the password's value? – Neil Smithline Nov 14 '15 at 17:18
  • I want to know if someone is trying to brute force his way into someone's else's account. For instance, there is a guy in the office who loves airplanes and his password is obviously, an airplane. That narrow down a lot the range of possible passwords. – vianna77 Nov 14 '15 at 17:22
  • @NeilSmithline, I also don't have a lot of knowledge on security. And the more I know, the more I will be able to work around the security holes and protect the system. – vianna77 Nov 14 '15 at 17:25
  • 1
    How could knowing the attempted password possibly help? What you need to know to detect intrusion attempts is the username, not the password. In any case, “how do I …” depends on the system, so your question is underspecified, and is a configuration matter rather than a security policy matter, so it's off-topic here. – Gilles 'SO- stop being evil' Nov 15 '15 at 15:02
  • 2
    You log the *failures*, not the password values. Then you either lock the account or introduce delays to prevent or slow down the attack. – schroeder Nov 15 '15 at 17:39
  • Vianna - would `Should I log the value of the password when a failed login attempt occurs?` be an accurate summary of your question? Or maybe you're asking `How do I detect password attacks on a user's account?` – Neil Smithline Nov 15 '15 at 20:34

1 Answers1

2

That would be incredibly simple. You could also log the attempted password value. Modify your login function somehow, depending on your language.

Keep in mind, this is untested pseudo code, but the concept will work:

  1. Couple of security things:

    private boolean properLength(String u, String p)
{
     return ((u.length > 3 && u.length <= 12) && (p.length > 8 && p.length <= 30)) ? true : false;
}

private boolean properFormat(String u, String p)
{
    return (regex.Valid(u, usernameRegex) && regex.Valid(p, passwordRegex)) ? true : false; 
}

private String stripBadStuff(String stuff)
{
    // Just in case or something...
    return EncodingFunction.ToASCII(stuff).regexReplace(badCharacaterRegex, ""); 
}

  2. And the login:

    public String login(String user, String pass) 
{ 
   if (!loginTriesExceeded) // Currently unhandled for example.
   {
       if ((user != null && pass != null) && properLength(user, pass) && properFormat(user, pass))
       {
            if (!userLoginTriesExceeded)
            {
                // Strips potential hacker injection attempts. You may want to find another way to log this attempt. You wouldn't want to log this to a database without parameters/bound variables. That's beyond the scope of this answer. Google it.
                String newUser = stripBadStuff(user);
                String newPass = stripBadStuff(pass);

               // Would be changing DB.lookup() to return true if valid login is detected. DB.lookup(newUser,newPass) will now be assumed that it tests the plaintext password against the salted hash. 
                if (DB.lookup(newUser, newPass)) 
                { 
                    // Prevent injection. This will assume DB.lookup() tests the password against the stored hash.
                    return "Hello " + newUser; 
                }
                else 
                {
                    logInvalidAttempt(newUser, newPass);
                    return "Invalid login.";
                }
           }
           else
           {
                return "User login attempts exceeded.";
           }
        }
        else
        {
            return "Invalid login.";
        }
    }
    else
    {
        // Do nothing, or inform the visitor that they've exceeded max global logins based on their IP / cookie 
        return null;
    }
}

You would just use logInvalidAttempt(user, pass); when it fails. So instead of just saying, "login failed," you'd say "login failed" and log the attempt, but be careful not to implement any security flaws with this. You will have to ensure that the data is correctly input.

In general, just sanitizing input is not the answer, but I sometimes add it as an additional layer after everything else has finished, just in case. Not always, just sometimes. The example here is for learning purposes.

Keep in mind that you'll have to write your own logInvalidAttempt() function; that is too broad for this answer.

You can also do this for any Content Management System such as joomla, WordPress, Drupal, Django, et al. They are, after all, open source. So all you need to do is modify the appropriate login function.

You need to also make sure not too much data gets logged. You'll have to cut it off at some point.

TLDR:

  1. Modify login() function.
  2. When the user tries to log in using invalid credentials, log it somewhere.
    • If logging to a SQL Server database, parameterize your queries.
    • If logging to an Oracle database, bind your variables and use prepared statements.
    • If logging to a MySQL database, use prepared statements and bind your parameters.
    • If logging it to a file, or to any database, don't allow it to insert too much data. You gotta cut it off at some point.
  3. Read logs/database.
Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
  • Hey Mark, do you mind deleting your answer. I will delete my question to avoid more complains. – vianna77 Nov 15 '15 at 15:34
  • @vianna77 Why? It should make people more aware that anyone could modify a few lines of a CMS and capture your password. – Mark Buffalo Nov 15 '15 at 15:40
  • Cause I'm always in pro of peace and I don't like to start fire. There might be billions of websites teaching how, what and where to trick system security that I could learn the answer of this question. I just thought I could avoid hours of reading going thru experts in stackexchange. If you don't want to delete, ok. But if you don't mind, please go ahead. – vianna77 Nov 15 '15 at 15:43
  • @vianna77 May I ask who is complaining? I'd prefer to keep it up because it's a really good question, and it highlights the bind faith that people provide to websites, which can easily be modified to do something malicious. Although someone could easily build their own malicious website, it's a lot easier to get this done with a `CMS`. And folks need to realize that you shouldn't use the same passwords for every website. This `logging` issue is defeated with good password practices. – Mark Buffalo Nov 15 '15 at 16:44