Re: password policy - alternate lockout mechanism

[Aravind Gottipati <aravind@freeshell.org>]

On Tue, Jan 27, 2009 at 9:28 AM, Howard Chu <hyc@symas.com> wrote:
> What makes you think a legitimate user who forgot their password won't try
> multiple times with different passwords? I.e., what makes you think you can
> distinguish a cracker from a legit user this way?
>

True, a legitimate user that has forgotten their password will try
multiple times with different passwords.  However it's still a small
set of different passwords they would be trying.  Contrast that with a
crack attempt where someone would try with a different password every
time.  Let's say that we set the limit at 50.  Its unlikely that a
legitimate user would try with more than 50 different passwords.
They'd just give up after some small number and file a ticket to have
it reset.  A crack attempt on the other hand would easily cross that
limit.

In our case, the usual problem has been that someone changes their
password, they don't change their password on all the machines they
use to access corp resources.  So some mail client somewhere keeps
trying to login with the same old password, and locks them out because
the application doesn't have the sense to stop trying after a failed
attempt.

In general though, repeated failed attempts with a small set of
passwords isn't indicative of a crack attempt.  Multiple attempts with
different passwords is.

Aravind.