As a security feature on a PHP website I am creating I plan to record password attempts in a table for a low traffic website. (Correct passwords are salted and stored with non reversible encryption.)
This is to temporarily and permanently in some cases block users and IPs based on their number of attempts within a time range and their location.
I plan to store incorrect usernames and passwords in plain text or with reversible (asymetric) encryption.
A user who has a typo in their username may have their correct password stored, so...
Is this an awful idea? If so, why and what would you recommend? Reversible encryption?
I am inclined to store incorrect attempts as I am interested to see what incorrect passwords bots use to brute force so I can prevent their use.
(I currently block users from using the 100 most common passwords from the famous adobe hack along with a few others.)
I'd say this is awful, for the reasons you stated but also because many users may have several passwords they always use and will try each of these if they can't remember their password.
Reversible encryption is not much better. Anyone with access to the passwords likely has access to whatever is doing the decryption and encryption.
I would advise against this altogether and rather try to encourage good passwords rather than preventing bad ones.
Do you really need to see what incorrect passwords are used? Actually, it is sufficient to reject commonly used passwords without knowing what they are.
You can use commonly used one-way hash functions such as bcrypt and store the hash values. Against each hash value, keep a counter to indicate how frequently they are being used. All your operations, such as blocking the user, will be based on hashed passwords, not the plain ones.