Is it common practice to log rejected passwords?

Logging the value of a failed password attempt (cleartext or otherwise) seems like a security anti-pattern. I've never seen a web app that does this, and I'm not aware of any default system services such as SSH that do either. As pointed out by @tylerl below, most systems simply log meta-information about an access attempt (e.g. username, time, perhaps IP address, etc.).

Why This Should Be a Security Anti-Pattern

Offhand, I can think of three reasons why logging the value of a failed password attempt is a bad idea:

1. User Typos

It's extremely common for people to mistype a password by one or two characters. Examining a log file of failed attempts would make many of these easy to figure out, especially if you could contrast a sequence of failed attempts with a successful auth.

2. Guess-and-Check

Many people have two-or-three passwords they cycle through for everything. Consequently, when they forget which password they used on a given site, they just cycle through all of them until they find a match. This would make it trivial to hack their accounts on other sites.

3. Log Bloat

Storing failed passwords serves no useful purpose for the vast majority of authentication services in production today. While there may be some edge cases, for most people, storing this data is simply throwing away disk space.

On Relevant Legislation / Standards

I don't know of any standards (PCI, HIPAA, etc.) that specifically address procedures for storing failed login attempts, but I think that granted the above facts a good legal argument could be made for why the same standards that apply to storing passwords in general should also apply to failed-password attempts as well. In other words, you could make a legal argument that a failed-password is still categorically a password, and as such it is subject to the same standards.

While I'm certainly not a lawyer, I wouldn't want a judge to have to decide whether or not I was negligent or in violation of industry standards because failed passwords were stored in cleartext and consumers suffered the consequences. I don't think that would end with a favorable decision.

I agree with the OP that it might be useful for the various standards bodies to address this issue specifically (if they indeed haven't already). To that end, my suggestion would be to create a compliance standard of not storing the value of failed password attempts at all.


There's no legitimate purpose to log plaintext passwords for any application; especially for an incorrect login. It may be logged by chance--I've casually looked at auth.log for other purposes, and seen an user accidentally type their password into the login field (and I do record the login fields to see what accounts are attempted to be logged in) -- however I notified the user of it and they changed their password.

On the flip-side, as a user the conservative assumption is to say that every random application you use is logging every password of incorrect attempts. This is why it is a bad idea to have a small (three) of random passwords you cycle through, versus a unique password for each site managed in an encrypted password list (possibly using a tool like keepass).

On this note, Mark Zuckerberg (facebook founder) has been accused by businessinsider.com of using logs of login/password combinations (even from incorrect entries) from thefacebook.com (an early version of facebook) to hack into the email accounts of Harvard Crimson journalists who were investigating him. From the daily mail::

However after further claims emerged, Zuckerberg apparently became anxious that the paper would run a story on him after all.

Business Insider claimed he then told a friend how he had hacked into the accounts of Crimson staff.

He allegedly told the friend that he used TheFacebook.com to search for members who said they were Crimson staff.

Then, he allegedly examined a report of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com.

Also somewhat relevant xkcd (imagine that the evil accounts also logged attempted passwords to increase their success rate).


It is not uncommon to log the fact that an authentication attempt has failed and which user it was for. This can prove very useful in forensic troubleshooting. It is extremely uncommon and irresponsible from a security perspective to log what the password was that was rejected. This information serve no useful purpose and can be used against you.

EDIT
You should hopefully be able to expect that a reputable and well-organized company would not be selling your password information since this would really be bad for them if it was found out. But in the interest of your own security, you should always be prepared for information you give out to be used against you because it is always a possibility. This goes double for any organization whose reputation you can't reliably establish.