> From a usability point of view, I think rounding up considerably on
> numbers makes sense.

Ok, happy with that. At some point we're going to just have to pick a
number, maybe I'll go for 2 hours.

> Is the issue dictionary attacks?  If that's the case, a one-minute
> lockout would serve the purpose, wouldn't it?

Kind of, it's all a trade-off between preventing brute force attacks
and preventing denial of service attacks.

> problematic.  It would add some increased security if you were able to
> see that the IP changed, and test if the change is acceptable (using
> the GeoIP library to see the new and old location, and acceptable
> changes should be regionally similar -- an IP should never switch from
> the US to Russia, for instance).

Ok, this sort of functionality has more recently been added to online
banking sites - services like RSA PassMark do this. Not appropriate
for our kind of sites I think.

> What is the advantage of "hmac_sha1(master_salt, user_name)" over
> "master_salt+username"?

Minimal, it's just HMAC is specifically designed for combining two
values in a hash like this.

Repoze-dev mailing list

Reply via email to