[Dovecot] auth_debug_passwords

Eduardo M KALINOWSKI eduardo at kalinowski.com.br
Wed Feb 4 12:52:10 EET 2009


Josh Gentry wrote:
> Hi.  I'm new to Dovecot and about to start using it in production.  In
> the config file, I set the option, auth_debug_passwords, to yes.  I do
> not see any failed passwords logged, however.  It did cause more verbose
> authentication logging, but failed passwords are still hidden.
>   

That option is not for logging passwords, but to ease problem
investigation in case something is not working as it should.

There might be a way to log password attempts, but it's not a good idea
from the point of view of security, so I'm glad it's not so easy to have
them logged.

Remember that a failed password might be someone using a dictionary
attack, but can be an user that simply mistyped one character in his
password. But even in the first case, what good would it do to know what
words an attacker is using?



-- 
Q:	Why does Washington have the most lawyers per capita and
	New Jersey the most toxic waste dumps?
A:	God gave New Jersey first choice.

Eduardo M KALINOWSKI
eduardo at kalinowski.com.br
http://move.to/hpkb



More information about the dovecot mailing list