Re: account lock on failed login
david20_at_alpha2.mdx.ac.uk
Date: 06/11/04
- Next message: *** T. Winter: "Re: User directory security"
- Previous message: Alvaro G Vicario: "Re: User directory security"
- In reply to: all mail refused: "Re: account lock on failed login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Jun 2004 11:54:09 +0000 (UTC)
In article <slrncchndp.bk6.elvis@notatla.org.uk>, elvis@notatla.org.uk (all mail refused) writes:
>In article <fa148c36.0406101329.3721068a@posting.google.com>, Larry wrote:
>
>> If several failed attempts to login to an account
>>occur, the security auditors want the account to be locked
>> .... Someone proposed that something would
>>automaticaly unlock the account after so many minutes or hours
>
>A temporary locking in response to multiple failed logins
>might be reasonable.
>
Permanently locking accounts because of login failures is not a good idea since
it converts the attack into a trivial denial of service attack.
David Webb
VMS and Unix team leader
CCSS
Middlesex University
>>but apparently that defeats the purpose. Is there a better solution ?
>
>If you have strong passwords you don't care about people trying
>to guess them. Enforce password complexity at the time they are set
>and use one of the password hashes stronger than crypt(3) - in part
>because you want to accept passwords longer than 8 characters.
>
>--
>Elvis Notargiacomo master AT barefaced DOT cheek
>http://www.notatla.org.uk/goen/
- Next message: *** T. Winter: "Re: User directory security"
- Previous message: Alvaro G Vicario: "Re: User directory security"
- In reply to: all mail refused: "Re: account lock on failed login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
