Re: password policy - alternate lockout mechanism

[Aravind Gottipati <aravind@freeshell.org>]

On Tue, Jan 27, 2009 at 12:14 PM, Clowser, Jeff
<jeff_clowser@fanniemae.com> wrote:
> Sounds like what you are saying is that rather than counting the number of
> failed attempts to bind, you want to count the number of failed unique
> passwords that were attempted - i.e. if you keep trying the same password
> over and over, it only counts as one, so clients with saved passwords
> don't constantly lock out accounts.

Yup, exactly.

> That would be nice, but I can't help but think (without having thought it
> out in detail) that there would be a gotcha to this - performance issue,
> security vulnerability saving all those attempted passwords, etc.

Well.. I can't speak for performance, I am not familiar enough with
the code base to really even attempt this myself.  Implementing this
as another overlay module should limit the impact it has on core code?
 As to the security vulnerability,  combining this with a policy that
says you are not allowed to re-use previous passwords should help
mitigate that.

Aravind.