As to the legality, I think the correct question is: is it legal to store
the password (as entered or some derived form, such as a hash)?

Auditing failed login attempts (the username, a timestamp, etc) is an
extremely common practice - in fact, Australian information security
standards require it and common professional security certifications (CISSP
etc) recommend it. I'd be very surprised if it illegal to track this sort
of information within the EU. These logs are invaluable in conducting
internal fraud or security investigations.

That said, why does the password (in particular) need to be tracked? I can
think of a very good reason not to track it: mistyped passwords. Consider
how many times you mistype your password. If a computer system were to
track my mistyped passwords, the database containing those would become a
treasure trove for internal fraudsters.

I can't think of a sane security professional that would recommend tracking
passwords in this manner - usernames and timestamps, absolutely, but not
passwords.

PS. As usual, if you or your client are legitimately concerned, you should
be consulting a practicing lawyer, not a list of Java doods. =)

-- Ryan

On 15 January 2013 08:30, Fabrizio Giudici <[email protected]>wrote:

> On Mon, 14 Jan 2013 22:24:35 +0100, Kevin Wright <[email protected]>
> wrote:
>
>  That depends on what you mean by "retain".
>>
>
> I suppose he means the credentials are logged, or stored somewhere not
> just in order to re-render a page.
>
> --
> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
> "We make Java work. Everywhere."
> http://tidalwave.it/fabrizio/**blog <http://tidalwave.it/fabrizio/blog> -
> [email protected]
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to javaposse+unsubscribe@**
> googlegroups.com <javaposse%[email protected]>.
> For more options, visit this group at http://groups.google.com/**
> group/javaposse?hl=en <http://groups.google.com/group/javaposse?hl=en>.
>
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Reply via email to