[Date Prev][Date Next]
Re: password policy - alternate lockout mechanism
Aravind Gottipati wrote:
The current password policy module can lock folks out after some
configurable number of failed attempts. The module currently does not
differentiate between a user failing with the same wrong password a
bunch of times versus a crack attempt where someone tries multiple
different wrong passwords. Are there any modules that take into
account if the same password is being used a bunch of times or if
multiple different passwords are failing?
Could this be a useful
feature worth requesting (if it doesn't exist already)?
What makes you think a legitimate user who forgot their password won't try
multiple times with different passwords? I.e., what makes you think you can
distinguish a cracker from a legit user this way?
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/