Feucht, Florian writes:
Perhaps he did, but locked out CONNECTIONS from that IP for 10
minutes reads differently to me. If Tom had meant what you said, then
I would have expected something like locked out authentication attempts
from that username/IP pair for 10 minutes.
This idea
Perhaps he did, but locked out CONNECTIONS from that IP for 10
minutes
reads differently to me. If Tom had meant what you said, then I would
have expected something like locked out authentication attempts from
that username/IP pair for 10 minutes.
This idea is great, but doesn't work for
Hi
My idea is to store this information per user, so the others keep
unaffected from locked mailboxes.
Another Possibility is to lock the account only for an specific amount
of time (lets say 10 minutes) after 3 password fails. So if somebody
tries some hardcore brute force, the database grows
Feucht, Florian writes:
My idea is to store this information per user, so the others keep
unaffected from locked mailboxes.
Another Possibility is to lock the account only for an specific amount
of time (lets say 10 minutes) after 3 password fails. So if somebody
tries some hardcore brute
On Friday, September 26, 2003, at 03:39 AM, Paul L. Allen wrote:
You are still not considering the possibility that somebody mounts a
denial of service attack. An attacker need only make three attempts
every ten minutes to permanently lock somebody out. And the attacker
can
do that for every
Tom Collins writes:
What if the system tracked it by IP, and after three failures locked
out connections from that IP for 10 minutes?
That has problems for companies behind a firewall which use external mail
servers (we have several clients in that situation). All it takes is one
person to
X-Istence writes:
Paul L. Allen wrote:
Tom Collins writes:
What if the system tracked it by IP, and after three failures locked
out connections from that IP for 10 minutes?
[...]
He meant log it on an account AND ip basis.
Perhaps he did, but locked out CONNECTIONS from that
