Kurt Zeilenga wrote:
On Jan 27, 2009, at 12:14 PM, Clowser, Jeff wrote:
> That would be nice, but I can't help but think (without having
> out in detail) that there would be a gotcha to this - performance
> security vulnerability saving all those attempted passwords, etc.
There is actually a significant security risk in keeping a history of
such passwords. While they might be invalid at the DSA for
authentication, they are likely valid elsewhere. That is, it quite
likely that a user might enter passwords for related systems. So
keeping long term (pass the authentication request) exposes the user
to greater risk.
My thinking exactly. But then, if they are encrypted and protected
the same as the password history and userpassword attributes, that
might mitigate this particular risk to an extent, especially if you
sync your users passwords across all systems, as many corps do (Don't
get me wrong, I still see this as risky and I can think of many ways
it may be misused...)
Of course, one should note that lockout mechanisms are a major target
of DoS attacks...
Without a doubt. But... I think what Aravind was getting at was a way
to reduce the potential for (particularly unintentional) DoS "attacks"
- cases such as clients that store an old password and then lock out a
user, etc. We get tickets for that all day here as well... Actually,
I'd say most if not all of out password lockout issues are from this
rather than genuine attacks, but we still have to implement password
policies like this "just in case" and follow up on each case (we're a
rather prime target here...)
I will say that if such an enhancement *were* to be implemented, it
would probably eliminate almost all our false positives and only lock
out users for extreme cases and genuine attacks...