Like I said, logging the password would give the sysadmin a better idea of what kind of attack is underway -- are the passwords just incremental alphanumerics, or a dictionary list, or a list of usernames? Does it look like the work of a well-known rootkit? Things like that...