On Tue, Jan 27, 2009 at 12:14 PM, Clowser, Jeff jeff_clowser@fanniemae.com wrote:
Sounds like what you are saying is that rather than counting the number of failed attempts to bind, you want to count the number of failed unique passwords that were attempted - i.e. if you keep trying the same password over and over, it only counts as one, so clients with saved passwords don't constantly lock out accounts.
Yup, exactly.
That would be nice, but I can't help but think (without having thought it out in detail) that there would be a gotcha to this - performance issue, security vulnerability saving all those attempted passwords, etc.
Well.. I can't speak for performance, I am not familiar enough with the code base to really even attempt this myself. Implementing this as another overlay module should limit the impact it has on core code? As to the security vulnerability, combining this with a policy that says you are not allowed to re-use previous passwords should help mitigate that.
Aravind.