Passwords in Event Log

Discussion in 'ASP .Net Security' started by Steve Seier, Oct 22, 2009.

  1. Steve Seier

    Steve Seier Guest

    We have an asp.net 2.x application that's been operational for several years.
    This app is forms-based so we handle user authentication in the app.

    Recently looking at the server event log I see several error/events that
    point to ASP.NET when there is a failure, such as a user entered the wrong
    password, which we handle, and other errors coming from the application.
    However, when there is an error written to the event log all the gory
    information about the event and user's credentials is written to the log file
    (event) as well including the PASSWORD in clear text!

    Password in CLEAR text! What! Why is Microsoft doing / allowing this? This
    is a breach of security in that any administrator or user that can look at
    the events can find this sensitive data.

    Is there any way to turn this option off or change the behavior of .NET to
    not write such data to the event logs?

    I'm totally baffled by this! In this age of security sensitive data like
    user ID and passwords are written to a common log file for all to see.
    Steve Seier, Oct 22, 2009
    #1
    1. Advertising

  2. Steve Seier

    Joe Kaplan Guest

    Can you show the full details of the error without the password details?

    Typically, ASP.NET just logs exceptions. If somehow the passwords are
    showing up in the exception data, that would be bad but would tend to
    indicate an issue with the code as it is not typical of the default
    authentication mechanisms I'm familiar with that the password data would be
    in the exception.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Steve Seier" <> wrote in message
    news:...
    > We have an asp.net 2.x application that's been operational for several
    > years.
    > This app is forms-based so we handle user authentication in the app.
    >
    > Recently looking at the server event log I see several error/events that
    > point to ASP.NET when there is a failure, such as a user entered the wrong
    > password, which we handle, and other errors coming from the application.
    > However, when there is an error written to the event log all the gory
    > information about the event and user's credentials is written to the log
    > file
    > (event) as well including the PASSWORD in clear text!
    >
    > Password in CLEAR text! What! Why is Microsoft doing / allowing this? This
    > is a breach of security in that any administrator or user that can look at
    > the events can find this sensitive data.
    >
    > Is there any way to turn this option off or change the behavior of .NET to
    > not write such data to the event logs?
    >
    > I'm totally baffled by this! In this age of security sensitive data like
    > user ID and passwords are written to a common log file for all to see.
    >
    Joe Kaplan, Oct 26, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Henrik_the_boss
    Replies:
    0
    Views:
    2,627
    Henrik_the_boss
    Nov 5, 2003
  2. Amratash
    Replies:
    0
    Views:
    497
    Amratash
    Apr 13, 2004
  3. =?Utf-8?B?VG9tIFdpbmdlcnQ=?=

    My.Log.Writeexception not writing to Application Event Log.

    =?Utf-8?B?VG9tIFdpbmdlcnQ=?=, Jan 20, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    2,352
    =?Utf-8?B?VG9tIFdpbmdlcnQ=?=
    Jan 20, 2006
  4. Tom Wingert
    Replies:
    0
    Views:
    318
    Tom Wingert
    Jan 12, 2006
  5. Replies:
    0
    Views:
    1,259
Loading...

Share This Page