Passwords in Event Log

S

Steve Seier

We have an asp.net 2.x application that's been operational for several years.
This app is forms-based so we handle user authentication in the app.

Recently looking at the server event log I see several error/events that
point to ASP.NET when there is a failure, such as a user entered the wrong
password, which we handle, and other errors coming from the application.
However, when there is an error written to the event log all the gory
information about the event and user's credentials is written to the log file
(event) as well including the PASSWORD in clear text!

Password in CLEAR text! What! Why is Microsoft doing / allowing this? This
is a breach of security in that any administrator or user that can look at
the events can find this sensitive data.

Is there any way to turn this option off or change the behavior of .NET to
not write such data to the event logs?

I'm totally baffled by this! In this age of security sensitive data like
user ID and passwords are written to a common log file for all to see.
 
J

Joe Kaplan

Can you show the full details of the error without the password details?

Typically, ASP.NET just logs exceptions. If somehow the passwords are
showing up in the exception data, that would be bad but would tend to
indicate an issue with the code as it is not typical of the default
authentication mechanisms I'm familiar with that the password data would be
in the exception.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top