Incorrect Passwords Entered During Login Attempts Should Be Considered Private Data

While pretty much everyone in the modern world understands that passwords should be treated as private information, and protected accordingly, many organizations do not apply a similar approach to the sensitive collection of incorrect passwords entered by users as such folks unsuccessfully attempt to login to systems.

In fact, while systems designed according to standard security practices do not store passwords in any form from which the passwords can be extracted (even encryption is not considered adequate protection), some do store “failed passwords” without utilizing any encryption whatsoever. (Standard practice is that when passwords are established, they are “hashed” using what is effectively a one-way encryption algorithm; when users subsequently attempt to login, the passwords that they enter are similarly hashed, and the resulting hash values are compared with the previously-stored password-hash-values).

Why is storing “failed passwords” dangerous?

If the log file is ever stolen, the thieves may discover that:

1. Some of the stored passwords may actually be correct

People sometimes make typos in their usernames, and enter their correct passwords. If a failed attempt logs a username of “JohhnSmith” and a password of “stream72!Q”, for example, the odds are decent that a user with the username “JohnSmith” has a password of “stream72!Q”.

2. Sometimes it is simple to extrapolate the correct password from an incorrect password

Sometimes users make typos while entering their passwords (users make such typos more often than they make typos in usernames since many systems do not display password characters as they are typed). As a result, logs of incorrect password attempts often contain data from which it is relatively simple to extrapolate likely candidates for correct passwords. If a username-password combination that failed to authenticate is listed as “JohnSmith – 4scoreand77years”, for example, there is a good possibility that by eliminating the second “7” a hacker may gain entry.

3. People frequently enter the correct password – to another system

Haven’t we all, at one or more points in our life, typed the password to one system while logging into another? We aren’t the only ones who know that such mistakes happen; the “bad guys” also know that such a phenomenon is common. If a hacker obtains the failed password log, don’t you think that he or she is going to use its contents to try to log into other systems?

The problem of valid passwords being used on the wrong system is even larger – some users reuse passwords, so the “username-failed password combination” may actually work for multiple systems. In fact, because many people utilize a single collection of passwords for all sites that they access, and, if they ever forget a password for a particular site, they simply cycle through all of the passwords in their collection until they get a hit, storing failed password attempts could potentially compromise the security of as many as all of a user’s accounts.

The bottom line is that while there is plenty to learn from failed login attempt logs, think twice before storing the actual passwords entered during such login attempts; lawmakers might even want to consider explicitly including such data in any new regulations that they create to protect the privacy and security of sensitive personal information.

Additionally, keep in mind that logging the content of every failed login attempt can open up a system to some forms of attack; by flooding systems with incorrect logins that the system will log, for example, attackers can cause the systems to prematurely exhaust some or all of their storage resources. (Of course, this is true even if only other data, but not the incorrect passwords themselves, are logged for failed login attempts.) As such, always plan, design, and implement appropriate countermeasures before activating any system that logs failed login attempts.

(Please not that, in order to avoid confusion, commas have been moved outside of quotation marks when the latter denote passwords.)