On Sun, Jul 12, 2009 at 10:53 PM, Howard Chu<[email protected]> wrote: > Fix the real problem, not just the symptom. The approach you're pushing for > is just putting a bandaid on a problem, not fixing it. This may be how other > folks handle their software design problems, but it just doesn't fly for > security issues.
Howard, You are right that it's not correct for apps to continue trying to authenticate with an incorrect password, or for them to fail silently. In a perfect word this would not happen. Unfortunately, we can't control all these apps or user's behaviors. My choices are to either ignore the problem and lock folks out after X failed attempts (whether real of from faulty apps), or, not even implement any sort of lockouts. I am not sure how else I can explain this to you, but it's a real problem and saying, "fix your apps" doesn't always work. Aravind.
