As to the legality, I think the correct question is: is it legal to store the password (as entered or some derived form, such as a hash)?
Auditing failed login attempts (the username, a timestamp, etc) is an extremely common practice - in fact, Australian information security standards require it and common professional security certifications (CISSP etc) recommend it. I'd be very surprised if it illegal to track this sort of information within the EU. These logs are invaluable in conducting internal fraud or security investigations. That said, why does the password (in particular) need to be tracked? I can think of a very good reason not to track it: mistyped passwords. Consider how many times you mistype your password. If a computer system were to track my mistyped passwords, the database containing those would become a treasure trove for internal fraudsters. I can't think of a sane security professional that would recommend tracking passwords in this manner - usernames and timestamps, absolutely, but not passwords. PS. As usual, if you or your client are legitimately concerned, you should be consulting a practicing lawyer, not a list of Java doods. =) -- Ryan On 15 January 2013 08:30, Fabrizio Giudici <[email protected]>wrote: > On Mon, 14 Jan 2013 22:24:35 +0100, Kevin Wright <[email protected]> > wrote: > > That depends on what you mean by "retain". >> > > I suppose he means the credentials are logged, or stored somewhere not > just in order to re-render a page. > > -- > Fabrizio Giudici - Java Architect @ Tidalwave s.a.s. > "We make Java work. Everywhere." > http://tidalwave.it/fabrizio/**blog <http://tidalwave.it/fabrizio/blog> - > [email protected] > > > -- > You received this message because you are subscribed to the Google Groups > "Java Posse" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to javaposse+unsubscribe@** > googlegroups.com <javaposse%[email protected]>. > For more options, visit this group at http://groups.google.com/** > group/javaposse?hl=en <http://groups.google.com/group/javaposse?hl=en>. > > -- You received this message because you are subscribed to the Google Groups "Java Posse" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
