[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password policy - alternate lockout mechanism

To: Aravind Gottipati <aravind@freeshell.org>
Subject: Re: password policy - alternate lockout mechanism
From: Howard Chu <hyc@symas.com>
Date: Sun, 12 Jul 2009 22:53:50 -0700
Cc: openldap-software@openldap.org
In-reply-to: <4A5ABAD8.3070600@symas.com>
References: <a1348d630901261702h2bc88204o2b21b549e18e936a@mail.gmail.com> <a1348d630901271107t2d5514b4t399c741bf7b00d6e@mail.gmail.com> <C65F80C878CCF24A9BC19646DE2DCA62021C0623@EXVG.fanniemae.com> <38622554-0C30-4C95-BCDB-9452FC24DA8B@OpenLDAP.org> <C65F80C878CCF24A9BC19646DE2DCA62021C0628@EXVG.fanniemae.com> <a1348d630901281315md8b28d2x51ff6a2b4b09f4aa@mail.gmail.com> <4980D453.3060808@symas.com> <C65F80C878CCF24A9BC19646DE2DCA62021C0655@EXVG.fanniemae.com> <4980EA31.8040500@symas.com> <C65F80C878CCF24A9BC19646DE2DCA62021C0658@EXVG.fanniemae.com> <a1348d630907122028k781dfbb0h6db3c441731e8e3c@mail.gmail.com> <4A5ABAD8.3070600@symas.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b5pre) Gecko/20090630 SeaMonkey/2.0a1pre Firefox/3.0.3

Howard Chu wrote:

Generally, we implement features according to the published specs. If you
believe this feature is valuable, you should push to have it included in the
next version of the ppolicy draft. I've been pushing for a few additions
recently as well.

http://www.openldap.org/lists/ietf-ldapext/200907/msg00001.html


More details are also on the X.500 list

http://www.freelists.org/post/x500standard/New-draft-on-password-policy,1

I'm all for getting useful enhancements into the published spec. But as thisis a security mechanism we're talking about, it has to be designed with some care.

The scenario you've provided as motivation for the feature you describe soundslike a bunch of poorly written apps; they should immediately remove passwordsfrom their caches the first time they fail to authenticate. At the very least,they should immediately come back to the user with an error message and askfor confirmation before retrying.

Also, using apps which perform silent implicit authentications of this sortrenders parts of ppolicy useless (e.g., warnings about password expirationand/or grace logins drop on the floor instead of being presented to the user).

Fix the real problem, not just the symptom. The approach you're pushing for isjust putting a bandaid on a problem, not fixing it. This may be how otherfolks handle their software design problems, but it just doesn't fly forsecurity issues.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: password policy - alternate lockout mechanism
  - From: Aravind Gottipati <aravind@freeshell.org>

References:
- Re: password policy - alternate lockout mechanism
  - From: Aravind Gottipati <aravind@freeshell.org>
- Re: password policy - alternate lockout mechanism
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: password policy - alternate lockout mechanism
Next by Date: Re: password policy - alternate lockout mechanism
Index(es):
- Chronological
- Thread