Feucht, Florian writes: > My idea is to store this information per user, so the others keep > unaffected from locked mailboxes. > > Another Possibility is to lock the account only for an specific amount > of time (lets say 10 minutes) after 3 password fails. So if somebody > tries some hardcore brute force, the database grows only for a small > period of time.
You are still not considering the possibility that somebody mounts a denial of service attack. An attacker need only make three attempts every ten minutes to permanently lock somebody out. And the attacker can do that for every mailbox they know of on your system. How would you like it if I set up a cron job to run every ten minutes to block [EMAIL PROTECTED] I think you'd find it a little inconvenient. There are ways around the problem, as I suggested in another thread on security issues. Give your mailboxes random names like fekgopwa and use an alias to take mail for f.feucht and drop it into fekgopwa. Then people attempting to lock out the f.feucht mailbox would fail because the mailbox is actually fekgopwa. Pf course, you're still at the mercy of packet sniffers finding out not only the real mailbox name but also the password unless you use spop. -- Paul Allen Softflare Support
