Re: account lock on failed login
From: all mail refused (elvis_at_notatla.org.uk)
Date: 06/11/04
- Next message: Felix Tilley: "Re: SSRT3606 rev.2 wu-ftpd off by one vulnerability"
- Previous message: Larry: "account lock on failed login"
- In reply to: Larry: "account lock on failed login"
- Next in thread: david20_at_alpha2.mdx.ac.uk: "Re: account lock on failed login"
- Reply: david20_at_alpha2.mdx.ac.uk: "Re: account lock on failed login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 10 Jun 2004 22:10:37 GMT
In article <fa148c36.0406101329.3721068a@posting.google.com>, Larry wrote:
> If several failed attempts to login to an account
>occur, the security auditors want the account to be locked
> .... Someone proposed that something would
>automaticaly unlock the account after so many minutes or hours
A temporary locking in response to multiple failed logins
might be reasonable.
>but apparently that defeats the purpose. Is there a better solution ?
If you have strong passwords you don't care about people trying
to guess them. Enforce password complexity at the time they are set
and use one of the password hashes stronger than crypt(3) - in part
because you want to accept passwords longer than 8 characters.
-- Elvis Notargiacomo master AT barefaced DOT cheek http://www.notatla.org.uk/goen/
- Next message: Felix Tilley: "Re: SSRT3606 rev.2 wu-ftpd off by one vulnerability"
- Previous message: Larry: "account lock on failed login"
- In reply to: Larry: "account lock on failed login"
- Next in thread: david20_at_alpha2.mdx.ac.uk: "Re: account lock on failed login"
- Reply: david20_at_alpha2.mdx.ac.uk: "Re: account lock on failed login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
