Re: password policy - alternate lockout mechanism
On Sun, Jul 12, 2009 at 10:53 PM, Howard Chu<hyc(a)symas.com> wrote:
Fix the real problem, not just the symptom. The approach you're
pushing for
is just putting a bandaid on a problem, not fixing it. This may be how other
folks handle their software design problems, but it just doesn't fly for
security issues.
Howard,
You are right that it's not correct for apps to continue trying to
authenticate with an incorrect password, or for them to fail silently.
In a perfect word this would not happen. Unfortunately, we can't
control all these apps or user's behaviors. My choices are to either
ignore the problem and lock folks out after X failed attempts (whether
real of from faulty apps), or, not even implement any sort of
lockouts. I am not sure how else I can explain this to you, but it's
a real problem and saying, "fix your apps" doesn't always work.
Aravind.