[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password policy - alternate lockout mechanism

On Tue, Jan 27, 2009 at 2:01 PM, Clowser, Jeff
<jeff_clowser@fanniemae.com> wrote:
> I will say that if such an enhancement *were* to be implemented, it
> would probably eliminate almost all our false positives and only lock
> out users for extreme cases and genuine attacks...

Yup, this is proving to be a pita for us.  Folks login from multiple
machines and get locked out when they forget to propagate their
password changes to all those machines.

Also, I am not sure how this will be any greater security risk than
the current system of storing a SSHA hash of the current password
within LDAP?  We could store similar hashes of all the passwords tried
(upto pwdMaxFailure) and compare against that?

Short of actually coding this up myself, what can I do to move it
along to at least a feature request that will be considered?

Thank you,