---
title: Do Not Log Credentials Or Tokens
impact: MEDIUM
impactDescription: prevents credential exposure in logs
tags: logging, credentials, tokens, secrets, security, csharp
---

## Do Not Log Credentials Or Tokens

Never log passwords or raw tokens.

**Incorrect:**

```csharp
_logger.LogInformation("Login attempt with password {Password}", password);
```

**Correct:**

```csharp
_logger.LogInformation("Login attempt for User {User}", username);

// Use Redaction in newer .NET
[LoggerMessage(Level = LogLevel.Information, Message = "Login for {User}")]
partial void LogLogin(string user, [NotLogged] string password);
```

**Tools:** Roslyn Analyzers
