1

I have a public-facing web application where anyone can register an account. The passwords I store are salted and hashed.

When someone tries to overtake the account of someone else through guessing passwords I would like to know this. For that reason I would like to log all unsuccessful login attempts.

I think that it wouldn't be a problem to log time, IP address and attempted username. But would it be acceptable to also log the wrong password in clear-text so I can detect the patterns the attacker is trying, or would the risk of being able to deduce correct passwords from misspelled login attempts by legitimate users too big?

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • Do you think it can be dangerous to write so much text for each failed attemps ? Is it possible for someone to overload your hardrive if he has this information ? Could it be a good DDOS door ? – Pierre Feb 22 '14 at 12:34
  • Ah apparently I'm not the only one wondering about "log bloat": http://security.stackexchange.com/questions/16824/is-it-common-practice-to-log-rejected-passwords?rq=1 – Pierre Feb 22 '14 at 12:36

1 Answers1

4

I appreciate where you're coming from, but this is actually very dangerous in a production system. While it might be kosher if 100% of all failed password attempts were in fact random evil people trying to break into your system, the fact is that a lot of bad passwords are actually going to be legitimate users making simple typos. And there's the rub: if someone managed to get a hold of your bad password cache, they'd likely have a bunch of barely typoed legitimate passwords that they'd otherwise have no way of knowing. In effect, every user who mistyped their password would have dramatically weakened their account in the case of a breach—quite possibly fatally.

Logging which accounts get bad passwords, and how often, can be very useful in auditing. So for that, go ahead. Just don't log the failed passwords.

(In practice, the passwords you'd get from doing what you're proposing are likely the same ones available already to tools like John the Ripper, anyway. If you're concerned about users' passwords being compromised, it's likely sufficient to use a tool like John and run known passwords against your user accounts.)

Benjamin Pollack
  • 205
  • 1
  • 4