Don't log usernames for bad logins

February 25, 2009

This used to be widely understood around Unix, but it's evidently slipped from common knowledge over time:

It's a mistake to log nonexistent usernames on bad logins.

(Corollary: it is an especially bad mistake to log them by default.)

To illustrate why I say this, let me tell you what happened to me recently. I normally leave myself logged in to my office workstation with the screen locked and blanked. This weekend, my office workstation crashed and rebooted because of some ongoing issues; as I don't use GDM et al, it sat there at a console login, and of course it blanked the screen. So on Monday morning I came in, saw a blank screen, and automatically did what I usually do: I tapped the shift key to wake up the X server and typed in my password to unlock the screen. I didn't bother stopping to look at the screen; I generally type faster than the screen wakes up, and this is all a well honed reflex anyways.

Of course, I wasn't typing my password to the X screen saver, I was typing my 'login name' to the login program. Which, on Fedora, logs unknown login names to syslog. Cue cursing, shooting of syslogd, and hand-editing syslog files. (And a reboot.)

(I pause here to be very thankful that my workstation is not hooked in to our central syslog server.)

The problem with logging nonexistent usernames is that sooner or later you will inevitably log someone's password in plain text. They will be operating on reflex as I was, or they will have focused the wrong widget, or typed ahead except the typeahead got eaten, or didn't notice that the system wasn't prompting them for what they thought it was, and boom, there goes their password. At the best, they have to change it. At the worst, they have no idea that it got logged and should be changed immediately, and will instead happily keep on using it.

(The other reason not to do this is that you don't really care about login attempts to nonexistent users except in very rare cases. In fact, you don't really care about login attempts to real users, because if you run an Internet-exposed machine you can safely assume that people are trying to log in to all of your accounts all of the time.)

This applies to more than Unix logins; it applies to anything that asks for a login, web services included. Perhaps especially web services.

Sidebar: on well honed reflexes

Due to my reflexive locking of X sessions, my reflex of typing my password to blank screens is so well developed that it is dangerous for me to let my display blank through inactivity. Even if I consciously know that I didn't lock the display, my automatic reaction can kick in before I stop myself. And if I don't remember, well, it's pretty hopeless.

Partly as a consequence of this, I have developed somewhat of a habit of not leaving focus on any X window that will accept keyboard input. If I'm not actively typing at something, I'll deliberately focus away from my xterms and so on. (If nothing else, this is a good way to avoid tragic consequences if I accidentally brush the keyboard. It's especially good if you're a vi user.)

Written on 25 February 2009.
« A core principle of error and warning messages
What I learned from Google Mail's recent outage »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Feb 25 00:17:24 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.