> Robert Hiltibidal <rob@rob.fgi.net> ,in message <Pine.LNX.3.96.970711053124.303
> 3B-100000@rob.fgi.net>, wrote:
> > coaxed into logging failed attempts? Basically what we want is to log the
> > failed attempt, the username and ip the attempt came from and to really
> > give us that warm fuzzy feeling we'd like to log the username and
> > passwords used.
>
> If you log the passwords you will get incorrect passwords for normal users
> accounts, from which it would be a small brute-force space to guess the
Nowhere in his email did he mention logging the failed password attempts.
This is the most dangerous and stupidist thing that could be logged!
> correct password. If you have a couple of failed passwords in the logs, it
> might even be easy to hand-guess the correct password.
>
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
Jake Messinger 713-772-6690 jake@ams.com
Advanced Medical Systems, Inc. jake@uh.edu
8300 Bissonnet #400
Houston, Texas 77074 http://www.ams.com/~jake
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~