[Date Prev][Date Next]
Re: password policy - alternate lockout mechanism
On Sun, Jul 12, 2009 at 10:53 PM, Howard Chu<firstname.lastname@example.org> wrote:
> Fix the real problem, not just the symptom. The approach you're pushing for
> is just putting a bandaid on a problem, not fixing it. This may be how other
> folks handle their software design problems, but it just doesn't fly for
> security issues.
You are right that it's not correct for apps to continue trying to
authenticate with an incorrect password, or for them to fail silently.
In a perfect word this would not happen. Unfortunately, we can't
control all these apps or user's behaviors. My choices are to either
ignore the problem and lock folks out after X failed attempts (whether
real of from faulty apps), or, not even implement any sort of
lockouts. I am not sure how else I can explain this to you, but it's
a real problem and saying, "fix your apps" doesn't always work.