Making public from issue reported on s.d.o against 7.x
"Drupal logs unsuccessful login attempts via watchdog in to following format:
Login attempt failed for [contents of username field]
Anecdotal evidence shows that a users commonly make the mistake of entering both their usernames and passwords in the username field. For example, this is common among keyboard navigators who focus first on the username field and then (unsuccessfully) tab to the password field, enter their password and press enter.
The result is Drupal storing the user's password in plaintext. If the database is compromised, it would be easy for an attacker to determine passwords.
I suggest adding a check to user_login_final_validate() that ensures what has been entered in the username field is indeed a valid user before logging it to watchdog. If it is not a valid user, log it IP address instead."