Tenant Logs Not Showing All Failed Login Attempts Due to Breached Passwords

Overview

This article explains why system logs do not record every failed login attempt when a breached password is used. During testing, an administrator may observe that some failed logins from various users are missing from the logs.

Applies To

  • Logs
  • Breached Password Detection
  • User Authentication

Cause

The System Log is designed to generate a single pwd_leak event only once per hour for each unique Internet Protocol (IP) address. When a sign-in attempt occurs from an IP address using a known breached password, a log event is created. Due to this behavior, any subsequent failed login attempts from the same IP address using a breached password will not be logged until the next one-hour interval begins.

Solution

To observe a log event for each failed login attempt during testing, adapt the testing procedure to account for the one-hour rate limit per IP address. This can be achieved by one of the following methods:

  • Performing test logins from a single IP address at intervals greater than one hour.
  • Using a different IP address for each test login attempt.