

Your users passwords stolen. Admin, how do you know? - dominikDe

Because of the recent incidents with stolen password hashes I asked myself: How would I notice that passwords have been stolen from one of my servers?<p>What for security measure should be taken to make sure an invader is detected?
======
iSloth
Assuming that your passwords are going to be stored within a database, log the
number of requests to that database or even better the database table holding
your authentication data.

Look for spikes in requests and also the number of rows been returned per
database request (for a MySQL select).

Specifically see if you can compare these database requests to authentication
events (login/logout), for most applications you would expect a 1:1 ratio of
'authentication events':'database requests'.

Finally and what most people forget, secure your backups, as these will hold
all of your authentication data as well!

------
rman666
One way might be to watch for your password file name on the way out while
sniffing at points of egress.

