On Sun, Jul 12, 2009 at 10:53 PM, Howard Chuhyc@symas.com wrote:
Fix the real problem, not just the symptom. The approach you're pushing for is just putting a bandaid on a problem, not fixing it. This may be how other folks handle their software design problems, but it just doesn't fly for security issues.
Howard,
You are right that it's not correct for apps to continue trying to authenticate with an incorrect password, or for them to fail silently. In a perfect word this would not happen. Unfortunately, we can't control all these apps or user's behaviors. My choices are to either ignore the problem and lock folks out after X failed attempts (whether real of from faulty apps), or, not even implement any sort of lockouts. I am not sure how else I can explain this to you, but it's a real problem and saying, "fix your apps" doesn't always work.
Aravind.