Feucht, Florian writes:

> is this problem unsolvable, or did i say something wrong?

Doing it the way you suggest, counting failures, means remembering state
somewhere, somehow.  If you have a lot of idiot users, this state could
become very large and slow.  Also there are two possible denial of service 
attacks: the first is somebody deliberately giving a bad password several 
times to lock some user out; the second is somebody deliberately giving a 
bad password for every user on your system in order to make the state cdb
large and slow.

A simpler, but less effective, mechanism is for vchkpw to sleep for several
seconds before it returns an "invalid password" response.  Again, there
is a denial of service attack which can be used if somebody has a big
enough computer or a distributed attack network: keep giving bad passwords
for all users so there are lots of processes sleeping and your machine
spends all its time swapping them in and out.

Paul Allen
Softflare Support

Reply via email to