[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Server side delay for bad passwords?

To: Dan White <dwhite@olp.net>
Subject: Re: Server side delay for bad passwords?
From: Pierangelo Masarati <ando@sys-net.it>
Date: Thu, 07 Feb 2008 21:54:01 +0100
Cc: openldap-software@openldap.org
In-reply-to: <47AB5DF0.701@olp.net>
References: <47AB42FD.9070305@olp.net> <hbf.20080207zb4p@bombur.uio.no> <47AB5DF0.701@olp.net>
User-agent: Mail/News 1.5.0.8 (X11/20061210)

Dan White wrote:

> I'd only want a delay when a user/attacker has entered a bad password,
> similar to the way a UNIX shell introduces a delay. My concern is that
> the faster I tune my server, the more likely it will become that an
> attacker will brute force a password.

Given the current implementation, the delay will keep a thread busy for
its duration.  Your server, under attack, would quickly become
unresponsive for any user.  Probably, your case should be handled
separately, e.g. by writing an overlay that registers a delay for a
given connection and quicly releases the operation, and a background
thread that wakes up when it's time to return errors after the delay.
Nothing dramatic, but definitely needs some development.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Follow-Ups:
- Re: Server side delay for bad passwords?
  - From: Howard Chu <hyc@symas.com>

References:
- Server side delay for bad passwords?
  - From: Dan White <dwhite@olp.net>
- Re: Server side delay for bad passwords?
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: Server side delay for bad passwords?
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: [JunkMail] Re: Server side delay for bad passwords?
Next by Date: Re: Server side delay for bad passwords?
Index(es):
- Chronological
- Thread