What is important to log for failed authentication attempts?

views:

answers:

What is important to log for failed authentication attempts?

I am working on an authentication system for an online game programmed using PHP and I would like to make sure it is secure. To help with this, I think logging would be useful (and good practice for me as well as a good test for a system logging class). I dont want to use the web server's logs, but I would like to know what would be important to log for failed authentication attempts.

I've pondered some options but I don't want to miss anything important. Below is a list of what I've considered so far.

Nothing (maybe it's pointless?)
full page URL
username attempted
ip address
time/date

What other things do you suggest to make sure to log?

Attempted password. Referrer if any (though for security reasons it's probably not much help).

John Lockwood 2009-08-28 04:43:54

I would not consider it good to your users to store the password. E.g. somebody types accidentally his email password. And because you also have his email address, it will be not hard to misuse.

Peter Smit 2009-08-28 04:48:21

I agree with Peter. I don't believe I currently have a valid need to store the attempted password. I don't believe that would provide any clues to break ins or misuse of the system.

Good Time Tribe 2009-08-28 05:04:27

It would if the password was "0x1de" and the failed attempt was "oxide" - that's clearly not a break-in, just a user who's forgotten their password-mangling rules.

paxdiablo 2009-08-28 05:18:56

...Which you shouldn't know, since you're hashing your passwords and not storing the originals, right?

Sidnicious 2009-08-31 05:41:59

+2 A:

First, what kind of concerns are on your mind?

Are you trying to find weaknesses in your software?

Username, full Page URL, time/date

Worried about hacking?

IP Address, username, time/date

Just trying to eat space on your server's HDD.

Username, full page URL, ip address, time / date

Cyril Gupta 2009-08-28 04:45:08

I find this answer to be most complete because it anticipates different scenarios. Thank you!

Good Time Tribe 2009-08-28 05:13:42

"and I would like to make sure it is secure."

No amount of logging is going to make your system more secure.

However, if your reason is to collect stats on failed attempts and look for possible problem areas (so you can, for example, ban IP addresses or accounts, or identify users with very bad memory), I would opt for logging the date, time, username, IP address and attempted password.

The IP address isn't as useful as you might think due to DHCP, NAT'ing and such but it can still be moderately useful.

None of this will prevent break-ins since a successful break-in will have the real password anyway (from social engineering or keyloggers).

We used to have a bit of fun at a major telco whose field engineers logged in to get the workload for the next few hours.

We would see them connect and get the password wrong, then look up their real password in LDAP and give them a call on the mobile. "Excuse me, Bob, but you seem to be having trouble logging in. You should be using 'octagon' as your password, not 'hexagon'."

That freaked 'em out no end and, obviously, our jobs weren't overly stressful at that point :-)

paxdiablo 2009-08-28 04:58:00

You are correct and I understand the difference between having a padlock on a door vs having a camera on the same door. I'm looking to have that virtual camera to help me find clues for "possible problem areas". Thanks for the info and the reply.

Good Time Tribe 2009-08-28 05:12:55

ansaurus

tags:

views:

answers:

What is important to log for failed authentication attempts?

related questions