Re: pplolicy lockout grace time? - alternatives
Chris Jacobs wrote:
> First of all, password lockout itself is a dumb idea, and we only
implement it
> because it's part of the original ppolicy spec. The ppolicy spec is pathetically
> bad though.
What methods aren't dumb ideas that accomplish account unavailability on N password
failures?
Look at a later rev of the spec - use increasing delays. It's the standard
approach used by Unix for 40-some years.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/