What should the solution be? Not logging the "username" at all? Or logging it if and only if the "username" is actually a valid username? I lean to the latter. Nico On Thu, Dec 07, 2000 at 05:59:51PM +0000, John Haxby wrote: [A complaint about logging usernames in failed login attempts, which logs can lead to logging of passwords when users accidentally type in their passwords at the username prompt, was here.] --
