[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password policy - alternate lockout mechanism

On Wed, Jan 28, 2009 at 2:52 PM, Kurt Zeilenga <Kurt@openldap.org> wrote:
> Why not just raise the max tries to, say, 100?

Because, that does not solve the problem.  Here is an example.  User A
may have used passwords P1, P2, P3 in the past and he may have a few
commonly used passwords P4 and P5 as well (that he uses for other
sites).  Lets say P1 is the current password on the system.  Lets say
MaxFailureAttempts is set to 100.

User A changed the password, but forgot to update the some
applications (some of which he doesn't use often).  Some of these
applications may still be (storing and) using P2 or P3 even.

In the current system, if one of these applications continues to try
to repeatedly login with any of P1 through P5 it will lock him out
after 100 attempts.  In the modified system, since he is only trying a
few of these P1, P2, P3 (or even P4 and P5), there is no reason to
lock him out.  This is clearly not a crack attempt, since he is only
trying these few passwords multiple times.

A crack attempt on the other hand will quickly run over
MaxFailureAttempts with different passwords.

I logged a new bug in the ITS form, but it didn't spit back a bug
number at me.  I outlined the scheme Jeff proposed earlier which would
probably work very well for a system like this.