27 Jan
2009
27 Jan
'09
1:19 p.m.
On Jan 27, 2009, at 12:14 PM, Clowser, Jeff wrote:
That would be nice, but I can't help but think (without having thought it out in detail) that there would be a gotcha to this - performance issue, security vulnerability saving all those attempted passwords, etc.
There is actually a significant security risk in keeping a history of such passwords. While they might be invalid at the DSA for authentication, they are likely valid elsewhere. That is, it quite likely that a user might enter passwords for related systems. So keeping long term (pass the authentication request) exposes the user to greater risk.
Of course, one should note that lockout mechanisms are a major target of DoS attacks...
-- Kurt