Logging authentication attempts including passwords

Question

I'm writing a comprehensive authentication system for an application and I was planning on logging failed authentication attempts in order to implement better security. I would like to check failed passwords for both brute force and dictionary attacks, however the only method I could think of doing this is by storing the raw password.

I have mixed feelings about doing this. Although I know that the failed login attempts will be cleared every so often I don't like the idea of raw passwords being stored in a database. I know I mistype passwords very often which are very similar to my real password, or worse yet I'll type a wrong password for a particular login that is actually an active password for another website I belong to.

It would however be impossible to implement advanced security without storing some raw passwords, so I'm trying to think about the best way to do it.

Here are some possible solutions I have thought of:

• Don't store more then 24 hours of login attempts. This isn't really a solution, more of simply limiting the damage if the passwords are compromised.
• Clear a users failed attempts if they are successfully authenticated.

Anyone have any input on this? Is this a good/bad idea? Should I use two-way encryption?

Answer 1

there's a big difference between a user making mistakes and a brute force / dictionary attack: the volume of requests. Don't store failed attempts - you're quite right that the plaintext password should be handled minimally - just look at the pattern of attempts. That should be enough data.

anything else, and your 'advanced security' starts looking like 'advanced attack vector possibilities'.