ansaurus

Question

Answer 1

+8 A:

What is the point of logging '**' in the log? It's just extra text that takes up space and doesn't provide any information. Just leave it out.

Michael Bray 2010-01-13 05:01:45

I think the OP is interested in reporting logins performed by other means than the password, and distinguish them. Makes sense _not_ to report the password in the log, nor multiple stars.

Stefano Borini 2010-01-13 05:04:38

What about the question makes you say that? I don't get that implication at all.

Michael Bray 2010-01-13 05:30:01

Answer 2

+2 A:

As long as no information about the password is saved, anything is fine.

Ignacio Vazquez-Abrams 2010-01-13 05:02:12

Answer 3

+1 A:

I would never have the password in any log file.

Chris Kloberdanz 2010-01-13 05:02:48

Never is always (;-)) too strong a word.

jae 2010-01-13 05:18:53

Indeed, see https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/34606

jleedev 2010-01-13 10:20:07

Answer 4

A:

I think that the existence of a password should be logged so that in the future someone could read the logs and find out how a user logged in. (password, OID e.t.c.)

ridecar2 2010-01-13 05:18:42

Answer 5

A:

Depending on your DB structure, there is no real purpose of logging the password they logged in with, because it can be inferred that if the logged in, then the used the current password :)

If you have a history of password changes (and obviously, storing the password in a hashed format so it can't be reversed anyway) you can rely on this system completely, to determine, if for some reason it's ever required, that they did indeed use password X, that they had between Date FOO and Date BAR.

Anyway, the point is, user X logged in. is all that really needs to be logged.

Noon Silk 2010-01-13 05:25:26

Answer 6

A:

Don't bother. Logging asterisks is hazardous if your masked password includes the same number of stars as the length of the password -- you're giving information about the password away by doing that. The alternative is to always log a different number of asterisks, but when you resort to doing that, is there really a point?

Aaron Klotz 2010-01-13 05:33:27

Answer 7

A:

Don't log the passwords or ***. If you want to know different methods of authentication, then categorise these and log those accordingly.

I fail to see why logging the password or *** would be of any benefit: in fact logging the password is a complete no-no and security risk.

Wim Hollebrandse 2010-01-13 10:17:43

Answer 8

A:

In the first place, why would you want such thing?

I think there are some more options (from more to less secure)

do not log password
for the purpose to identify among some known passwords list do log cryptographically strong hash of password using e.g. MD5/SHA1. Storing number of asterisks is a form if this one, but less secure.
to recover password do log encrypted one using e.g. AES.
log plain text password.

Anton Smyk 2010-01-13 10:40:20

ansaurus

tags:

views:

answers:

How to log a password in a log file?

related questions