At 16:12 -0500 on 01/15/2007, Shmuel Metz (Seymour J.) wrote about
Re: Special characters in passwords was Re: RACF - Password:
In <[EMAIL PROTECTED]>, on 01/09/2007
at 08:01 AM, Walt Farrell <[EMAIL PROTECTED]> said:
Given a system configuration that will lock out (revoke) a user ID if
someone guesses passwords incorrectly, say after 5 tries, the
chances of anyone guessing a password before getting the ID revoked
should be small regardless of password size, rules, etc.
Of course, if his intent is to mount a DOS attack by locking out users
in bulk, that automatic revocation gives him what he wants.
One way around that is to allow the user in even if revoked but only
give him one crack at the Password per connect (with a 5 minute delay
between offers to accept a password in lieu of the immediate "You're
Revoked - Contact Security" reply upon presentation of the UserID).
If someone has done a DOS attack, this will let the real user in
since they know their password.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
