Should I log that a user changed their password?

To, answer your question, Yes, you can and SHOULD log password-changes, and there's nothing fundamentally wrong with doing so, as long as you don't e.g. record the password itself"

What to log?

When designing logging for Security purposes you want to address these questions:

When did the event happen?

  • The date and time the event occurred (Use the common log format)

What was the event?

  • A short description of the event (e.g Password Change)

Who triggered the event?

  • The user id, name, email or some unique identifier

Why was the event triggered?

  • This is not the same as the "What" even though many people use it that way. This is the reason the event was executed. (e.g. Password changed due to policy, User manually changed password, etc). This can be really good for weeding out noise.

Scenarios

One of the best methods for discussing what to see is via scenarios and asking the team:

  • What information does the event provide?
  • Is the event required for compliance / legal?
  • Are we logging for detective reason? (e.g. Triggering a SIEM) or for corrective? (e.g. Forensics after the fact)
  • Who will be looking at the logs?
  • How will we protect the logs?

Example:

James is part of the IR team, which is responsible for Made-Up Company's critical application 'Non-Existence'. James want to be able to see all password changes in order to detect changes that occur outside the normal policy process. These events will trigger and investigation if a password change happens without an incident logged by the support team. Logs will be sent to the IR SIEM appliance which will use a rule set to trigger warnings to the IR team when an incident cannot be correlated to a password change outside of a required policy change.

(Obligatorily caution for using this at a workplace. I just made this example up.)

[edit] - Updated the initial answer to be more clear. Thanks to @SeldomNeedy for the suggestion.


I can't give you a reason not to log something; you have to give me a reason why you need to log it.

You can theoretically log everything the users does, (down to mouse pointer movement, clicks, and when a window is the foreground or not).

But, do you NEED to log everything? Can you log everything without sacrificing performance? Can you store the logs for a useful period of time?

There is no reason not to log when the user changes his/her password. You can prevent the users from changing their password too often. Or any feature that you can build on the history, habits, and patterns of password changing.

You can even correlate the password changing with major security breaches to determine how "techy" the user is.


You can log some message to indicate that the user has changed the password along with some information like ipaddress(to track if somebody has inadvertently changed his passsword) from where he has changed the password.

Please avoid logging PII information which will lead back to specific user if the log file is leaked.

Tags:

Logging

Passwords

Password Reset

Recent Posts