[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password policy - alternate lockout mechanism

On Jan 27, 2009, at 12:14 PM, Clowser, Jeff wrote:

That would be nice, but I can't help but think (without having thought
out in detail) that there would be a gotcha to this - performance issue,
security vulnerability saving all those attempted passwords, etc.

There is actually a significant security risk in keeping a history of such passwords. While they might be invalid at the DSA for authentication, they are likely valid elsewhere. That is, it quite likely that a user might enter passwords for related systems. So keeping long term (pass the authentication request) exposes the user to greater risk.

Of course, one should note that lockout mechanisms are a major target of DoS attacks...

-- Kurt