My idea is to store this information per user, so the others keep
unaffected from locked mailboxes.

Another Possibility is to lock the account only for an specific amount
of time (lets say 10 minutes) after 3 password fails. So if somebody
tries some hardcore brute force, the database grows only for a small
period of time.

Unfortunaltly i'm not a good C coder, bit I'll try to do this, when i
have some spare time avail... this could be a chance to get into C a
little bit more :)

CU Flo

-----Ursprüngliche Nachricht-----
Von: Paul L. Allen [mailto:[EMAIL PROTECTED]
Gesendet: Donnerstag, 25. September 2003 16:13
Betreff: Re: WG: [vchkpw] lock account after login failures

Feucht, Florian writes:

> is this problem unsolvable, or did i say something wrong?

Doing it the way you suggest, counting failures, means remembering state
somewhere, somehow.  If you have a lot of idiot users, this state could
become very large and slow.  Also there are two possible denial of
attacks: the first is somebody deliberately giving a bad password
times to lock some user out; the second is somebody deliberately giving
bad password for every user on your system in order to make the state
large and slow.

A simpler, but less effective, mechanism is for vchkpw to sleep for
seconds before it returns an "invalid password" response.  Again, there
is a denial of service attack which can be used if somebody has a big
enough computer or a distributed attack network: keep giving bad
for all users so there are lots of processes sleeping and your machine
spends all its time swapping them in and out.

Paul Allen
Softflare Support

Reply via email to