[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password policy - alternate lockout mechanism



On Sun, Jul 12, 2009 at 10:53 PM, Howard Chu<hyc@symas.com> wrote:
> Fix the real problem, not just the symptom. The approach you're pushing for
> is just putting a bandaid on a problem, not fixing it. This may be how other
> folks handle their software design problems, but it just doesn't fly for
> security issues.

Howard,

You are right that it's not correct for apps to continue trying to
authenticate with an incorrect password, or for them to fail silently.
 In a perfect word this would not happen.  Unfortunately, we can't
control all these apps or user's behaviors.  My choices are to either
ignore the problem and lock folks out after X failed attempts (whether
real of from faulty apps), or, not even implement any sort of
lockouts.  I am not sure how else I can explain this to you, but it's
a real problem and saying, "fix your apps" doesn't always work.

Aravind.