[zeta0134]

Just about nobody logs passwords on purpose. But really stupid IoT devices accept credentials as like query strings, or part of the path or something, and it's common to log those. The attacker is sending you passwords meant for a much less secure system.

[SoftTalker]

You probably shouldn't log usernames then, or really any form fields, as users might accidentally enter a password into one of them. Kind of defeats the point of web forms, but safety is important!

[Dylan16807]

Are you using a very weird definition of "logging" to make a joke? Web forms don't need any logging to work.

[SoftTalker]

You save them in a database. Probably in clear text. Six of one, half-dozen of the other.

[Dylan16807]

A password being put into a normal text field in a properly submitted form is a lot less likely than getting into some query or path. And a database is more likely to be handled properly than some random log file.

Six of one, .008 of a dozen of the other.

[hinkley]

So no access logs at all then? That sounds effective.