Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
Re: [suse-security] account lockout after x incorrect attempts???
  • From: Crispin Cowan <crispin@xxxxxxxxxx>
  • Date: Thu, 06 Oct 2005 13:32:41 -0700
  • Message-id: <434589E9.9010805@xxxxxxxxxx>
Baenen Eric P Contr AFRL/HEC wrote:
> The SUSE secure alternative of login delays (ours set to 20 seconds) quite
> effectively deters brute force attacks and logging of failed login attempts
> with notification gives us indications when "something isn't right" - but
> unfortunately we don't have a say in the matter.
>
Did 'management' say how *long* the lockout had to be? The 20 second
delay could be characterized as a very brief "lockout". If they don't
like that, then change the number to 20 minutes, or 20 years if they
really insist.

Better yet would be if the delay grew exponentially with each failure.

Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com


< Previous Next >