I've found this in the Console logs:
10/03/10 3:53:58 PM SecurityAgent[156] User info context values set for tom 10/03/10 3:53:58 PM authorizationhost[154] Failed to authenticate user (tDirStatus: -14090). 10/03/10 3:54:00 PM SecurityAgent[156] User info context values set for tom 10/03/10 3:54:00 PM authorizationhost[154] Failed to authenticate user (tDirStatus: -14090). 10/03/10 3:54:03 PM SecurityAgent[156] User info context values set for tom 10/03/10 3:54:03 PM authorizationhost[154] Failed to authenticate user (tDirStatus: -14090).
There are about 11 of these "failed to authenticate" messages logged in quick succession. It looks to me like someone is sitting there trying to guess the password. However, when I tried to replicate this I get the same log messages except that this extra message appears after five attempts:
13/03/10 1:18:48 PM DirectoryService[11] Failed Authentication return is being delayed due to over five recent auth failures for username: tom.
I don't want to accuse someone of trying to break into an account without being sure that they were actually trying to break in. My question is this: is it almost definitely someone guessing a password, or could the 11 "failed to authenticate" messages be caused by something else?
EDIT: The actual user wasn't logged in, or using a computer at the time of the log in attempts.
Best Answer
I'm seeing a few things on the various mas sites, and it's looking like (my best guess) that this log is stored when a user is trying to authenticate to a service, like a calendar or ldap server. And there could be reasons other than malicious intent for a users to fail on a server login, such as the time being wrong on the machine or if a certificate in the keychain is expired or doesn't have the right trust settings.
At the very least, I'd approach the user and ask if they've been having problems logging in to something or if something has been asking for a password every three minutes, etc.