Re: password policy - alternate lockout mechanism
On Tue, Jan 27, 2009 at 12:14 PM, Clowser, Jeff
<jeff_clowser(a)fanniemae.com> wrote:
Sounds like what you are saying is that rather than counting the
number of
failed attempts to bind, you want to count the number of failed unique
passwords that were attempted - i.e. if you keep trying the same password
over and over, it only counts as one, so clients with saved passwords
don't constantly lock out accounts.
Yup, exactly.
That would be nice, but I can't help but think (without having
thought it
out in detail) that there would be a gotcha to this - performance issue,
security vulnerability saving all those attempted passwords, etc.
Well.. I can't speak for performance, I am not familiar enough with
the code base to really even attempt this myself. Implementing this
as another overlay module should limit the impact it has on core code?
As to the security vulnerability, combining this with a policy that
says you are not allowed to re-use previous passwords should help
mitigate that.
Aravind.