_______________________________________ From: Ben Scott [EMAIL PROTECTED] Subject: Re: Audit recommendation
On Dec 22, 2007 7:26 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote: > > Fast brute force can be simply defeated by having long and/or > > complex passwords and/or account lockout ... > > Brute force attacks can be effective against even long passwords, Really? How long do you think it woudl take you to brute force a 15 character, complex, password, over FTP? Even at 1000 login attempts per second, you'd be spending many hundreds of years. > and the problem with account lockout is that it also locks out the > legitimate users. So your objections have issues, too. Which is why i suggested a 1 minute lock out, every 100 consequtive failed login attempts. Most legitimate users either (a) can get this password correct within 100 guesses -or- (b) give up and called the Helpdesk before that point in time. And even if they do manage to lockout their account, it's only for 1 minute. Which usually isn't an issue for a legitimate user. > > I'd rather Microsoft concentrate on other, new, functionality that we need > > ... > > Given that this isn't exactly rocket science to implement (maybe a > few dozen lines of code in C), and Microsoft isn't exactly hurting for > engineering budget, I think it's reasonable to ask for both. Total effort is more than writing a few lines of code (someone has to do the documentation, it needs to work other APIs, ISVs would need to be notified, SDKs/documentation would need to be updated, regression tests and threat models written and tested etc) I still don't see the benefit of this technology. So, I'd rather we had more useful stuff. Cheers Ken ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
