Nao

  • Dadman with a boy
  • Posts: 16,079
Logging password errors
« on May 2nd, 2012, 07:26 PM »
If there's one type of error that really bothers me in the error log, it's the "Password incorrect" error...
I believe it is logged every time someone enters an incorrect password when logging in.
Because it's the kind of thing that really I couldn't care less about, I'd suggest that we only log these (or at least offer a setting to...) when there have been X consecutive failed password attempts. That would still take care of brute force attempt warnings, while still leaving admins in peace without the need to systematically check their error log only to find these errors...

I'm not sure there's even a system in place to allow for logging errors according to their gravity level.

billy2

  • Trying to earn brownie points for a lads trip to the Red Sea. Minus 1 already - just for asking!!
  • Posts: 350
Re: Logging password errors
« Reply #1, on May 2nd, 2012, 07:37 PM »
Great.
That empties my error log. :)
I have a forum full of muppets with unmemorable passwords.

p.s where has the like button gone?
<br /><br />cough, cough.

Nao

  • Dadman with a boy
  • Posts: 16,079
Re: Logging password errors
« Reply #2, on May 2nd, 2012, 07:39 PM »
It's not implemented yet, I just wanted to see opinions about it :)
And hopefully Pete will implement it before I do, because I'm awfully busy on tons of features at the same time, in case you didn't check out today's rev log ;)

The Like button is still here...? It's just hidden inside the Actions button in Mobile mode, if you're wondering.

billy2

  • Trying to earn brownie points for a lads trip to the Red Sea. Minus 1 already - just for asking!!
  • Posts: 350
Re: Logging password errors
« Reply #3, on May 2nd, 2012, 07:44 PM »
iPad2
Only quote and report options in the action drop down
 :hmm:

 :P Avid reader of Revs. Don't understand much of what's posted though :sob:

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: Logging password errors
« Reply #4, on May 2nd, 2012, 07:51 PM »
I can't remember if likes was permission based or not, don't think it is though :/

Regarding errors, there's an interesting situation attached. After the third attempt, the session will notice and ask instead for username or email to remind you, so in theory bruteforcing is supposed to cap at 3 though it's possible to bypass that under certain circumstances... is a bit complicated.

I agree in principle that we can cut back on the 'password' errors (note that they have their own category now, heh) but not sure how best to do it.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

billy2

  • Trying to earn brownie points for a lads trip to the Red Sea. Minus 1 already - just for asking!!
  • Posts: 350
Re: Logging password errors
« Reply #5, on May 2nd, 2012, 07:55 PM »Last edited on May 2nd, 2012, 08:05 PM
Like button *was* visible to me.
Cannot put a day/time to that statement

Nao

  • Dadman with a boy
  • Posts: 16,079
Re: Logging password errors
« Reply #6, on May 2nd, 2012, 09:33 PM »
Like button should show up in mobile mode now. This was a recent bug I fixed today.

Yeah I know passwords have their own category which is why I'm suggesting that admins could choose types of errors to log -- just like they can choose to disable 404s which have their own cat, it'd be nice to streamline all of this.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: Logging password errors
« Reply #7, on May 2nd, 2012, 09:39 PM »
Choosing types to log is an interesting idea though I don't think I'd offer all types of error; I don't think I'd offer to hide plugin errors for example.

What I would be more inclined to do is figure out better ways to handle some of these; 404s need a proper option, sure, but password errors can be handled more gracefully, perhaps by logging the number of failures in the user's account and only notify the admin when a certain number of failures is hit (and then reset that on successful login and once the warning has been issued)
Re: Logging password errors
« Reply #8, on July 23rd, 2012, 02:35 AM »
r1644 adds in an option for this. I couldn't think of a more reliable method that would actually stand up to scrutiny and in the mean time this'll do.

Nao

  • Dadman with a boy
  • Posts: 16,079

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278

Nao

  • Dadman with a boy
  • Posts: 16,079
Re: Logging password errors
« Reply #11, on August 22nd, 2012, 03:34 PM »
Ah, yes, I believe I implemented that last month or so... 8-)