16

Is it legal to store/log mistyped passwords?

How many of you have seen this happen in a log file or DB?

Zuly Gonzalez
  • 394
  • 3
  • 21
Olivier
  • 163
  • 6
  • If you and the user agree on such a behavior, I guess there is no law that forbids this. But why would you want to do that? – Gumbo Oct 23 '11 at 13:35
  • 8
    I guess it is obvious that this is a extremely bad idea from a security perspective because the wrong password are most likely extremely close to the real one. As for the legal aspect, you forgot to mention for which country your are asking. I would not do this in Germany for example. – Hendrik Brummermann Oct 23 '11 at 13:42
  • 4
    Related is the problem of logging the usernames of people who have put in the wrong password. This is a security risk because the username is often the correct password when the user is out of sync with the user: password: prompts. – Jerry Asher Oct 24 '11 at 01:42
  • I dunno about passwords but it seems legal to log and sell the users of failed logins: ["The Wall Street Journal divulged to seven of its partners the email address of users who enter the wrong password"](http://www.theregister.co.uk/2011/10/11/websites_share_usernames) – Gennady Vanin Геннадий Ванин Nov 09 '11 at 07:06
  • Isn't there some risk you could be prosecuted for a lesser "attempted" variant of computer intrusion (hacking), or some anti-phishing statute, if the prosecutor argued that you intended to use the information maliciously? – Jeff Burdges Dec 02 '11 at 16:54
  • @JeffBurdges "_if the prosecutor argued that you intended to use the information maliciously?_" **intent** to do something is the same thing as trying to do something. Intent is not a crime in itself. – curiousguy Jul 05 '12 at 16:53

5 Answers5

24

I don’t think that “legal” is the right term to use.

It’s not wise, a lot of times “right” password is only one letter different from the “wrong” password (typo/capital letters/…). So if somebody evil will get this log he may easily guess the correct password.

Other problem is that people re-use passwords, so they use same password for your site/gmail/facebook/bank. So even if your site doesn’t have sensitive information about users, it’s very possible that getting user’s credentials from your site will let hacker access other user’s accounts (email/CC/bank). And you don’t want to be a source of something like that.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
AaronS
  • 2,575
  • 5
  • 22
  • 26
  • 2
    I heard this for the first time from a friend who found out, his company was doing this with their software. He is working in the IT dept. and every time a user would enter a wrong PW, it would be logged in a DB. This threw me off and that's why I was asking here... it's not something I'm going to do :) – Olivier Oct 23 '11 at 17:17
  • 1
    What you could do is _store the hash_ (using the exact same way you store passwords in your user table) of the login attempt. At least you will know _how many failed login attempts have been made_ and when. Some legwork would let you know if this is a naive dictionary attack or whatever. – bobobobo Jun 05 '13 at 20:26
  • @bobobobo: For information Dovecot, the security minded MDA, implements this (storing hashes of failed passwords, to reduce potential information leakage it can store only a substring of the hash) to allow administrators to distinguish between a brute-force attack and a wrongly configured client trying the same wrong password endlessly. – WhiteWinterWolf Dec 27 '15 at 16:55
8

As mentioned, it is perfectly legal in many jurisdictions, as the owner of the machine can do what they want with this data (it doesn't count as personal data under most data protection statutes)

But it raises a risk - that the viewer of those logs could build up a good idea of people's passwords, which removes the auditability of actions (they could log in as the individual whose password has been logged) so it would be a very bad idea, and in regulated industries would raise a problem!

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • So, in those jurisdictions, you wouldn't even have to inform the customer of such a possibility? Somewhat a scary thought... – Olivier Oct 23 '11 at 20:29
  • 2
    @Oliver - you'll often find a comment in the terms and conditions mentioning that anything/everything may be logged. – Rory Alsop Oct 24 '11 at 07:38
5

Very bad idea indeed. People sometimes enter the password for another site. If that were logged it would be valuable information for anyone you can access the log. One can often guess from a small number of sites for which of these the password is correct.

Karel Thönissen
  • 51
  • 1
4

To add to previous answers, you should not log the username either, it's pretty common that people get "out of sync" and type their password in the login field (bad UI being the main culprit here).

Bruno Rohée
  • 5,221
  • 28
  • 39
  • That's a good point @Bruno – Rory Alsop Oct 25 '11 at 12:31
  • I just saw @Jerry actually made the same point a lot earlier in a comment to the OP – Bruno Rohée Oct 25 '11 at 14:47
  • 2
    The username used in failed logins is a **potentially useful** information that can used to detect ongoing attacks. OTOH, if a particular user, on a given TCP connexion, mistype his password then uses the correct password, there is no need to record the failed attempt. – curiousguy Jul 05 '12 at 16:58
1

I have seen that not only the password is stored in DataBase, but also the username, so the DBA or someone who has access to the list of log, could imagine the correct credential.

Does this type of log information has worth? IMO no, because it is better in terms of security that the website informs the user with an alert email about "failed logins". The only worth it could have to log that information is to (1) know the pattern that some hacker is trying to use to log in (2) and which user is considering.

Ricardo Vera
  • 11
  • 1