i've developed an intranet application and implemented an custom ASP.NET Membership Provider with Forms-Authentication. I thought it would be a good idea to log all failed login attempts in DBMS. Hence i've created a table with following model:
Now my question:
Is it good practise to store this for safety reasons or is it even forbidden due to data protection reasons(germany)? I'm storing the original passwords hashed in db but the wrong passwords(or correc开发者_高级运维t pw with wrong username) in the log-table are in clear-text.
Somebody could argue that everybody with access to this table could get user's passwords not alone for this application but for others too, because people who have forgotten their passwords (or their username) might try out others as well.
Not a good idea for users who misspell their user ID but give the correct password!
I'd imagine it is quite dangerous, as many bad logins will only be a character or so off. If you are trying to collect data, perhaps you should run the bad passwords through an algorithm and only store the final report data you are looking for.. for instance, if you are trying to find out how close they are to the password, perhaps store an integer of how many characters were incorrect instead.
You don't gain much by storing the password. If you feel the need to see the password, perhaps record it after X incorrect login attempts, that way you avoid recording typos.
Well I think that you should only keep password hashes, and if you log attempts, then why do you need that data? User ID or name combined with IP address and date will do the trick.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论