Feucht, Florian writes:

> My idea is to store this information per user, so the others keep
> unaffected from locked mailboxes.
> Another Possibility is to lock the account only for an specific amount
> of time (lets say 10 minutes) after 3 password fails. So if somebody
> tries some hardcore brute force, the database grows only for a small
> period of time.

You are still not considering the possibility that somebody mounts a
denial of service attack.  An attacker need only make three attempts
every ten minutes to permanently lock somebody out.  And the attacker can
do that for every mailbox they know of on your system.  How would you like
it if I set up a cron job to run every ten minutes to block
[EMAIL PROTECTED]  I think you'd find it a little inconvenient.

There are ways around the problem, as I suggested in another thread on
security issues.  Give your mailboxes random names like fekgopwa and use
an alias to take mail for f.feucht and drop it into fekgopwa.  Then people
attempting to lock out the f.feucht mailbox would fail because the mailbox
is actually fekgopwa.  Pf course, you're still at the mercy of packet
sniffers finding out not only the real mailbox name but also the password
unless you use spop.

Paul Allen
Softflare Support

Reply via email to