Feucht, Florian writes: > is this problem unsolvable, or did i say something wrong?
Doing it the way you suggest, counting failures, means remembering state somewhere, somehow. If you have a lot of idiot users, this state could become very large and slow. Also there are two possible denial of service attacks: the first is somebody deliberately giving a bad password several times to lock some user out; the second is somebody deliberately giving a bad password for every user on your system in order to make the state cdb large and slow. A simpler, but less effective, mechanism is for vchkpw to sleep for several seconds before it returns an "invalid password" response. Again, there is a denial of service attack which can be used if somebody has a big enough computer or a distributed attack network: keep giving bad passwords for all users so there are lots of processes sleeping and your machine spends all its time swapping them in and out. -- Paul Allen Softflare Support
