portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Spencer <pau...@apache.org>
Subject Re: Proposal
Date Wed, 22 May 2002 17:08:36 GMT
If I know you login, then I, via a script or program, could keep trying 
passwords until I successfully logged in.  This can be BAD!  That is why 
most OS will lock account based on failed login attempts.

The JR.p parameters that control when an account is locked out, based on 
failed attempts, are:
# 3 logon strikes per 300 seconds and your out
services.JetspeedSecurity.logon.strike.count=3
services.JetspeedSecurity.logon.strike.interval=300
# dont allow more than 10 over any time period
services.JetspeedSecurity.logon.strike.max=10

Paul Spencer

Glenn Golden wrote:

> We have this clever feature that if there are some number of unsuccessful
> login attempts over a time period, we disable the account.
> 
> This is a VERY BAD FEATURE!  With a feature like this, if I know your login
> id, I can quickly disable your account.
> 
> I suggest we remove it.  Call for a vote.
> 
> - Glenn
>  
> --------------------------------------------
> Glenn R. Golden, Systems Research Programmer
> University of Michigan School of Information
> ggolden@umich.edu               734-615-1419
> --------------------------------------------
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>
> 
> 



--
To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>


Mime
View raw message