If I perform an access request to Stash using an invalid password, I don't see anything logged.

This can help also help track rogue build bots using invalid credentials that trigger CAPTCHAs that currently can't be disabled (STASH-3001).

It would be nice to have it in a security log similar to what JIRA offers and log: failed attempts, password changes, SSH key changes, etc.