Feucht, Florian writes:
> is this problem unsolvable, or did i say something wrong?
Doing it the way you suggest, counting failures, means remembering state
somewhere, somehow. If you have a lot of idiot users, this state could
become very large and slow. Also there are two possible denial of service
attacks: the first is somebody deliberately giving a bad password several
times to lock some user out; the second is somebody deliberately giving a
bad password for every user on your system in order to make the state cdb
large and slow.
A simpler, but less effective, mechanism is for vchkpw to sleep for several
seconds before it returns an "invalid password" response. Again, there
is a denial of service attack which can be used if somebody has a big
enough computer or a distributed attack network: keep giving bad passwords
for all users so there are lots of processes sleeping and your machine
spends all its time swapping them in and out.