I do not disagree. The decision to revoke is in the customer's hands. Before this APAR, the option to only say that the combination was invalid did not exist. So the APAR is 100% a good thing.
Yes, I would certainly agree that a delay option might be superior in many cases to revocation. A revocation makes work for the Help Desk. An increasing delay would be arguably as effective and have the advantage that you cite. RFE? Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Seymour J Metz Sent: Tuesday, January 21, 2020 10:22 AM To: [email protected] Subject: Re: IBM AOAR O44855 There are two separate issues: 1. Should you only say that the userid/password combinations is bad? I have no problem with that. 2. Should you auto-revoke after n failed attempts? That's the vector for the DOS attack. IMHO it makes more sense to introduce an exponential delay, block the IP address or some oapproach that makes it hader to deliberately suspend a batch of user ids. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
