-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adam,
Adam Gordon wrote: > A customer will generally freak out if you tell them their account > was locked due to illegal access attempts. Shoot, I know I would - > especially if the account is sensitive, like a bank or something. > Their next question would be did they get in and what did they get? So, your solution is to leave your customers ignorant of break-in attempts? :( The suggestion /was/ a temporary lock-out. > It's definitely a tricky problem and even some of our better > engineers are having a rough go of trying figure out a solution. All > the solutions we can think of only slow someone down, not keep them > out. That's because you are looking for a solution that slows them down, but doesn't keep them out (see your own comments above). Thread.sleep() adds no security. It just ties up your request processing threads, raising your operating costs. > Customers want to know that their information is secure, but they > don't want to be hindered by that security, and I agree - it should > be as transparent as possible. Honestly, I appreciate proactive solutions like temporary lock-outs. If my bank told me that I couldn't login because someone had been trying to guess my password, I would feel better than if they just let it go. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF8fQL9CaO5/Lv0PARArZYAJ4oh8dde5JkgZD0v8sswT443JLT/gCfXF/9 zWLVGLUV8OS6gpaQrwZB41Q= =thm3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
