As a security feature on a PHP website I am creating I plan to record password attempts in a table for a low traffic website. (Correct passwords are salted and stored with non reversible encryption.)
This is to temporarily and permanently in some cases block users and IPs based on their number of attempts within a time range and their location.
I plan to store incorrect usernames and passwords in plain text or with reversible (asymetric) encryption.
A user who has a typo in their username may have their correct password stored, so...
Is this an awful idea? If so, why and what would you recommend? Reversible encryption?
I am inclined to store incorrect attempts as I am interested to see what incorrect passwords bots use to brute force so I can prevent their use.
(I currently block users from using the 100 most common passwords from the famous adobe hack along with a few others.)
