21 May
2014
21 May
'14
9:47 a.m.
Chris Jacobs wrote:
First of all, password lockout itself is a dumb idea, and we only implement it because it's part of the original ppolicy spec. The ppolicy spec is pathetically bad though.
What methods aren't dumb ideas that accomplish account unavailability on N password failures?
Look at a later rev of the spec - use increasing delays. It's the standard approach used by Unix for 40-some years.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/