Skip to main content

We are facing a problem where user accounts are locked for unknown reasons, and we are trying to find out if our users are entering their passwords correctly (we have a password policy that auto-locks user accounts after N failed attempts).
So I'm trying to search logs for events of users typing the wrong password, and I'm running this command:

log show --predicate 'subsystem == "com.apple.opendirectoryd" AND category == "auth" AND eventMessage contains "invalid credentials"' --style syslog --info --signpost --last 1h

 But it shows many "invalid credentials" messages; and every time the user locks the screen, an "invalid credentials" message is generated.
Therefore, two questions:

1) Does anyone know why an "invalid credentials" message is generated on the screen lock?

2) How can I know when users are really entering their password incorrectly and not just locking screens?

Have you tried checking to see if the same log is presented for com.apple.loginwindow? MacOS can be super screwy with how it displays logs. 

Thank you, AJPinto; I can see "incorrect password" events in com.apple. login window.logging. It helps a little, although I'm looking for more system-wide events in cases like where users enter the wrong passwords while using the "sudo" command or when macOS asking a password before the update process.

Reply


Terms & ConditionsCookie settings