Help

"invalid credentials" log messages appears when I lock screen.

lopatoid
New Contributor

Posted on ‎08-08-2024 11:23 PM

We are facing a problem where user accounts are locked for unknown reasons, and we are trying to find out if our users are entering their passwords correctly (we have a password policy that auto-locks user accounts after N failed attempts).
So I'm trying to search logs for events of users typing the wrong password, and I'm running this command:

log show --predicate 'subsystem == "com.apple.opendirectoryd" AND category == "auth" AND eventMessage contains "invalid credentials"'  --style syslog --info --signpost --last 1h

 But it shows many "invalid credentials" messages; and every time the user locks the screen, an "invalid credentials" message is generated.
Therefore, two questions:

1) Does anyone know why an "invalid credentials" message is generated on the screen lock?

2) How can I know when users are really entering their password incorrectly and not just locking screens?

0 Kudos
Reply
2 REPLIES 2

AJPinto
Honored Contributor III

Posted on ‎08-09-2024 04:12 AM

Have you tried checking to see if the same log is presented for com.apple.loginwindow? MacOS can be super screwy with how it displays logs. 

0 Kudos
Reply

lopatoid
New Contributor

Posted on ‎08-22-2024 06:04 AM

Thank you, AJPinto; I can see "incorrect password" events in com.apple. login window.logging. It helps a little, although I'm looking for more system-wide events in cases like where users enter the wrong passwords while using the "sudo" command or when macOS asking a password before the update process.

0 Kudos
Reply