I assume that the idea you have is to prompt the user for a login and
password, look up the login to see if it exists, if so return the encrypted
password, the crypt the password that was entered, and compare the two.
Are you going to log the number of failed attempts made by a particular
IP address, tracking for potential password cracking programs? I caution
against actually writing out the attempted logins and passwords initially
due to things like people who accidentally type in their passwords as the
login name, or having log files with login and passwords around for a
cracker to peruse...
I read a neat idea the other day. The security admin talked about how
s/he either had implemented, or was thinking of implementing, a login
program which when presented with a failed login, presented the appearance
of a successful login . They suggested even leaving documents which
appeared to be of value (fake mail files, etc.). This way the cracker is
spending a lot of time in a fake account not realizing that the longer
they are on line, the longer the security administrator had to track
them down...
--
Larry W. Virden <mailto:[EMAIL PROTECTED]>
<URL: http://www.purl.org/NET/lvirden/>
Unless explicitly stated to the contrary, nothing in this posting should
be construed as representing my employer's opinions.
-><-
