No sensitive information, user passwords, certificates, or personally identifiable information (SSN, phone number, addresses) should ever be recorded in a log. Encode all user input before putting it in a log entry. Mistakes in logging configuration and usage may cause this leak of sensitive information.