diff --git a/src/auth.rs b/src/auth.rs
index 1ade8dc..5dff906 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -181,7 +181,8 @@ impl<S: CredentialStore + Clone> AuthManager<S> {
 
         let key = self.derive_long_term_key(&username, &password);
         if !validate_message_integrity(msg, &key) {
-            warn!("auth reject: bad credentials username={} realm={} peer={}", username, realm, peer);
+            let key_hex = hex::encode(&key);
+            warn!("auth reject: bad credentials username={} realm={} peer={} a1_md5={} (debug)", username, realm, peer, key_hex);
             return AuthStatus::Reject {
                 code: 401,
                 reason: "Bad Credentials",