On 8/30/06, Renshaw, Rick (C.) <[EMAIL PROTECTED]> wrote:
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dude VanWinkle Sent: Saturday, August 26, 2006 2:30 PM To: Adriel Desautels Cc: [email protected] Subject: Re: [Full-disclosure] Secure OWA > The only real fault I know about is the fact that you can guess passwords eternally without locking out user accounts. There's two sides to this risk. If you allow OWA logins to lock out accounts, and your OWA page is available from anywhere on the Internet, you are handing an easy DOS tool to anyone that knows the account names for people on your server.
Perhaps. But a temporary lockout period would deter brute-force attempts while still making an attacker do some work to keep the accounts locked (eg, if you have a lockout of 5 minutes, brute forcing is no longer practical, but at the same time, if you want to DoS someone's account you have to keep coming back every 5 minutes. And that increases the risk you'll get caught.) -Brendan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
