portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Endre StĂžlsvik <En...@Stolsvik.com>
Subject Re: Proposal
Date Wed, 22 May 2002 17:07:25 GMT
| We have this clever feature that if there are some number of unsuccessful
| login attempts over a time period, we disable the account.
|
| This is a VERY BAD FEATURE!  With a feature like this, if I know your
login
| id, I can quickly disable your account.
|
| I suggest we remove it.  Call for a vote.

Such a feature is a must for most "hi-sec" systems.

However, you can augment the information about the "locked out" users by
including the IP address along with the username that is locked out. Of
course, this could enable distributed cracking, as the cracker only needed
to shop around for a couple of million IP addresses, and have three go's on
each IP address. You could however furter enhance the scheme to include the
entire "last-byte" IP range, effectively dropping at least 254 IPs for each
time you lock out a user/IP pair. In addition, you could have a limit of
three IP addresses as well. This _would_ enable a DDoS attack on your
account, though. But who cares? ;) If the attacker is willing to go to such
lenghts, he would probably have the means to take your whole service down
anyways.

Endre.



--
To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>


Mime
View raw message