[Date Prev][Date Next]
Re: Server side delay for bad passwords?
Buchan Milne wrote:
The UNIX shell (well actually, the login binary on my UNIX clone OS, which
uses PAM) doesn't introduce a delay for a bad password, but under any
circumstance where the credentials supplied are incorrect.
Implementing it only for when the password is incorrect is typically
discouraged by security researchers, as this is information disclosure (which
could assist an attacker in gathering information for performing an attack).
For example, a few years back, OpenSSH specifically added a patch to ensure
that when OpenSSH authenticated via PAM, that the delay would be exactly the
same whether the user existed or not.
Now, if you really want to introduce a long delay when any bind fails, I think
you will experience problems.
I think maybe the UNIX shell example was a bad one. I'm an ISP
admin, and what I'd like to do is make our LDAP server another
ISP service. Today most, if not all, of our ISP services
introduce a delay when incorrect *credentials* are supplied
For example, all of these services introduce a delay when there's
a bad username/password submitted:
Even in the case where I'm authenticating via SASL (IMAP), I get
a delay when I submit incorrect credentials:
neo:~# time echo "a01 logout" | imtest -m DIGEST-MD5 -a baduser
-w badpass neo.olp.net
Authentication failed. generic failure
Security strength factor: 128
C: Q01 LOGOUT
* BYE LOGOUT received
a01 OK Completed
I do understand there's a difference between protocols, and what
effect delays would have for different services, but I'm prepared
to accept the performance penalties associated with adding a
delay as long as its reasonable.
IMHO, you should rather ensure that entering the incorrect password more than
a specified number of times results in the account being locked out. If your
SASL mechanism can't do this, take that to their list.
I don't agree that this is a SASL (cyrus) specific issue, since
some other services have implemented a delay. I still need to
check out the retcode plugin.
Although It'd be interesting if cyrus sasl had some kind of
plugin (like canonuser) that could be used to insert some logic
during each and every login attempt. I have delays with my
pop3/imap/smtp services for incorrect credentials, but I'd love
to have a more configurable password policy.