Educause Security Discussion
mailing list archives
Re: Mitigating Phishing Attacks
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Sun, 18 Nov 2012 08:47:56 -0500
On Wed, 14 Nov 2012 16:23:46 -0600, Steven Tardy said:
0a) log all authentications(failed and successful) to a database.
Sorry for the late reply, been a zoo here in my office.
Note that logging failed authentications can be problematic, because if a user
gets out of sync with the input, they can end up entering their password into
the login field. So then you see in your logs:
User 'fredspassword' not authorized.
User 'fred' logged in.
and you've created an unintentional password disclosure. It's probably not a
big problem if you mask out the purported userid if it doesn't exist, or do
something else to ensure that you don't log a password thinking it's a userid.