On Tue, Jan 27, 2009 at 12:14 PM, Clowser, Jeff
Sounds like what you are saying is that rather than counting the
failed attempts to bind, you want to count the number of failed unique
passwords that were attempted - i.e. if you keep trying the same password
over and over, it only counts as one, so clients with saved passwords
don't constantly lock out accounts.
That would be nice, but I can't help but think (without having
out in detail) that there would be a gotcha to this - performance issue,
security vulnerability saving all those attempted passwords, etc.
Well.. I can't speak for performance, I am not familiar enough with
the code base to really even attempt this myself. Implementing this
as another overlay module should limit the impact it has on core code?
As to the security vulnerability, combining this with a policy that
says you are not allowed to re-use previous passwords should help