On Fri, Oct 23, 2009 at 02:15:40PM -0700, Howard Chu wrote:
I'm not sure you're trying to solve the right problem yet.
unconvinced that account lockout is a good solution to anything, in
general. That's why I added login rate control to the latest ppolicy draft,
where the DSA simply starts inserting delays before responding to failed
authc attempts. As I see it, rate control can be managed completely within
a single DSA and no state ever needs to be replicated outward on any
particular schedule. But at the moment I haven't yet thought about how well
this will work in all the possible deployment scenarios.
So once again, what's important here is to analyze what are the types of
attacks we expect to see, and how particular defense strategies will
behave, and how effectively they will fend off those attacks. Until you've
outlined the problems, you don't have any framework for designing the
Just a quick comment: The way we understand NT4 is that the
failed attempts are counted locally and only the lockout is
replicated. This reduces the load a lot.