Skip to main content
Question

"invalid credentials" log messages appears when I lock screen.

  • August 9, 2024
  • 2 replies
  • 15 views
L
Forum|alt.badge.img+2

We are facing a problem where user accounts are locked for unknown reasons, and we are trying to find out if our users are entering their passwords correctly (we have a password policy that auto-locks user accounts after N failed attempts).
So I'm trying to search logs for events of users typing the wrong password, and I'm running this command:

log show --predicate 'subsystem == "com.apple.opendirectoryd" AND category == "auth" AND eventMessage contains "invalid credentials"' --style syslog --info --signpost --last 1h

 But it shows many "invalid credentials" messages; and every time the user locks the screen, an "invalid credentials" message is generated.
Therefore, two questions:

1) Does anyone know why an "invalid credentials" message is generated on the screen lock?

2) How can I know when users are really entering their password incorrectly and not just locking screens?

    2 replies

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • August 9, 2024

    Have you tried checking to see if the same log is presented for com.apple.loginwindow? MacOS can be super screwy with how it displays logs. 

    L
    Forum|alt.badge.img+2
    • lopatoid
    • Author
    • New Contributor
    • August 22, 2024

    Thank you, AJPinto; I can see "incorrect password" events in com.apple. login window.logging. It helps a little, although I'm looking for more system-wide events in cases like where users enter the wrong passwords while using the "sudo" command or when macOS asking a password before the update process.

    Terms & ConditionsCookie settingsAccessibility statement