> From a usability point of view, I think rounding up considerably on
> numbers makes sense.
Ok, happy with that. At some point we're going to just have to pick a
number, maybe I'll go for 2 hours.
> Is the issue dictionary attacks? If that's the case, a one-minute
> lockout would serve the purpose, wouldn't it?
Kind of, it's all a trade-off between preventing brute force attacks
and preventing denial of service attacks.
> problematic. It would add some increased security if you were able to
> see that the IP changed, and test if the change is acceptable (using
> the GeoIP library to see the new and old location, and acceptable
> changes should be regionally similar -- an IP should never switch from
> the US to Russia, for instance).
Ok, this sort of functionality has more recently been added to online
banking sites - services like RSA PassMark do this. Not appropriate
for our kind of sites I think.
> What is the advantage of "hmac_sha1(master_salt, user_name)" over
Minimal, it's just HMAC is specifically designed for combining two
values in a hash like this.
Repoze-dev mailing list