I thought it was actually best practice to not even record the username. Since a very conceivable mistake is to forget to tab over to the password field and then submit the form after typing username and password into the same field. Perhaps only storing a hash might be safe.
Regardless, does seem in the questionable category of even being useful, and instead just opening you up to further attacks. I view it (in what I do not think of as a controversial view) as the username/password of users is actually valuable information. As much so as credit card numbers. Treat it as such. (None of this is to say Ryan's answer is incorrect in any shape form or fashion.) On Mon, Jan 14, 2013 at 5:16 PM, Ryan Schipper <[email protected]>wrote: > As to the legality, I think the correct question is: is it legal to store > the password (as entered or some derived form, such as a hash)? > > Auditing failed login attempts (the username, a timestamp, etc) is an > extremely common practice - in fact, Australian information security > standards require it and common professional security certifications (CISSP > etc) recommend it. I'd be very surprised if it illegal to track this sort > of information within the EU. These logs are invaluable in conducting > internal fraud or security investigations. > > That said, why does the password (in particular) need to be tracked? I can > think of a very good reason not to track it: mistyped passwords. Consider > how many times you mistype your password. If a computer system were to > track my mistyped passwords, the database containing those would become a > treasure trove for internal fraudsters. > > I can't think of a sane security professional that would recommend > tracking passwords in this manner - usernames and timestamps, absolutely, > but not passwords. > > PS. As usual, if you or your client are legitimately concerned, you should > be consulting a practicing lawyer, not a list of Java doods. =) > > -- Ryan > > On 15 January 2013 08:30, Fabrizio Giudici > <[email protected]>wrote: > >> On Mon, 14 Jan 2013 22:24:35 +0100, Kevin Wright < >> [email protected]> wrote: >> >> That depends on what you mean by "retain". >>> >> >> I suppose he means the credentials are logged, or stored somewhere not >> just in order to re-render a page. >> >> -- >> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s. >> "We make Java work. Everywhere." >> http://tidalwave.it/fabrizio/**blog <http://tidalwave.it/fabrizio/blog>- >> [email protected] >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Java Posse" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to javaposse+unsubscribe@** >> googlegroups.com <javaposse%[email protected]>. >> For more options, visit this group at http://groups.google.com/** >> group/javaposse?hl=en <http://groups.google.com/group/javaposse?hl=en>. >> >> > -- > You received this message because you are subscribed to the Google Groups > "Java Posse" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/javaposse?hl=en. > -- You received this message because you are subscribed to the Google Groups "Java Posse" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
