Overview
This article explains why system logs do not record every failed login attempt when a breached password is used. During testing, an administrator may observe that some failed logins from various users are missing from the logs.
Applies To
- Logs
- Breached Password Detection
- User Authentication
Cause
The System Log is designed to generate a single pwd_leak event only once per hour for each unique Internet Protocol (IP) address. When a sign-in attempt occurs from an IP address using a known breached password, a log event is created. Due to this behavior, any subsequent failed login attempts from the same IP address using a breached password will not be logged until the next one-hour interval begins.
Solution
To observe a log event for each failed login attempt during testing, adapt the testing procedure to account for the one-hour rate limit per IP address. This can be achieved by one of the following methods:
- Performing test logins from a single IP address at intervals greater than one hour.
- Using a different IP address for each test login attempt.