Howard Chu wrote:
Generally, we implement features according to the published specs. If you believe this feature is valuable, you should push to have it included in the next version of the ppolicy draft. I've been pushing for a few additions recently as well.
http://www.openldap.org/lists/ietf-ldapext/200907/msg00001.html
More details are also on the X.500 list
http://www.freelists.org/post/x500standard/New-draft-on-password-policy,1
I'm all for getting useful enhancements into the published spec. But as this is a security mechanism we're talking about, it has to be designed with some care.
The scenario you've provided as motivation for the feature you describe sounds like a bunch of poorly written apps; they should immediately remove passwords from their caches the first time they fail to authenticate. At the very least, they should immediately come back to the user with an error message and ask for confirmation before retrying.
Also, using apps which perform silent implicit authentications of this sort renders parts of ppolicy useless (e.g., warnings about password expiration and/or grace logins drop on the floor instead of being presented to the user).
Fix the real problem, not just the symptom. The approach you're pushing for is just putting a bandaid on a problem, not fixing it. This may be how other folks handle their software design problems, but it just doesn't fly for security issues.