On Jan 27, 2009, at 12:14 PM, Clowser, Jeff wrote:
That would be nice, but I can't help but think (without having
out in detail) that there would be a gotcha to this - performance
security vulnerability saving all those attempted passwords, etc.
There is actually a significant security risk in keeping a history of
such passwords. While they might be invalid at the DSA for
authentication, they are likely valid elsewhere. That is, it quite
likely that a user might enter passwords for related systems. So
keeping long term (pass the authentication request) exposes the user
to greater risk.
Of course, one should note that lockout mechanisms are a major target
of DoS attacks...