portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Golden <ggol...@umich.edu>
Subject RE: Proposal
Date Wed, 22 May 2002 19:23:23 GMT
I agree password attacks are a problem, but our solution is a bad one.  Our
solution makes it much too easy to do damage.  Perhaps there's another
solution.

I say we get rid of this one.

+1

- Glenn

--------------------------------------------
Glenn R. Golden, Systems Research Programmer 
University of Michigan School of Information
ggolden@umich.edu               734-615-1419
--------------------------------------------


> -----Original Message-----
> From: Paul Spencer [mailto:paulsp@apache.org] 
> Sent: Wednesday, May 22, 2002 1:09 PM
> To: Jetspeed Developers List
> Subject: Re: Proposal
> 
> 
> If I know you login, then I, via a script or program, could 
> keep trying 
> passwords until I successfully logged in.  This can be BAD!  
> That is why 
> most OS will lock account based on failed login attempts.
> 
> The JR.p parameters that control when an account is locked 
> out, based on 
> failed attempts, are:
> # 3 logon strikes per 300 seconds and your out 
> services.JetspeedSecurity.logon.strike.count=3
> services.JetspeedSecurity.logon.strike.interval=300
> # dont allow more than 10 over any time period 
> services.JetspeedSecurity.logon.strike.max=10
> 
> Paul Spencer
> 
> Glenn Golden wrote:
> 
> > We have this clever feature that if there are some number of 
> > unsuccessful login attempts over a time period, we disable the 
> > account.
> > 
> > This is a VERY BAD FEATURE!  With a feature like this, if I 
> know your 
> > login id, I can quickly disable your account.
> > 
> > I suggest we remove it.  Call for a vote.
> > 
> > - Glenn
> >  
> > --------------------------------------------
> > Glenn R. Golden, Systems Research Programmer
> > University of Michigan School of Information
> > ggolden@umich.edu               734-615-1419
> > --------------------------------------------
> > 
> > 
> > --
> > To unsubscribe, e-mail:   
> <mailto:jetspeed-dev-> unsubscribe@jakarta.apache.org>
> > For 
> additional commands, 
> e-mail: 
> > <mailto:jetspeed-dev-help@jakarta.apache.org>
> > 
> > 
> 
> 
> 
> --
> To unsubscribe, e-mail:   
> <mailto:jetspeed-dev-> unsubscribe@jakarta.apache.org>
> For 
> additional commands, 
> e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>
> 

--
To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>


Mime
View raw message