I agree whole-heartedly with your point - it is a stupid, useless measure that leaves us open for major denial of service attacks... And I have stated this to 'upper IS management' - however we have been given no choice - it is 'corporate' policy - policy as usual, made by people who don't understand the technology -- and as usual, we have to live with the consequences. The SUSE secure alternative of login delays (ours set to 20 seconds) quite effectively deters brute force attacks and logging of failed login attempts with notification gives us indications when "something isn't right" - but unfortunately we don't have a say in the matter. Thanks, Eric
We have a number of SUSE 9.x workstations - and recently we've been mandated to have them adhere to a corporate IT security policy that requires account lockout after a certain number of incorrect login attempts.
....
Look for this under Bone-Headed Security.
Imagine this policy is successfully implemented. Then *anyone* could lock anyone else out of their account (aka a DOS) simply by trying to log into it. This policy opens the door to all kinds of mischief. It would even worse if it's going to be used to log in from the internet. Then you might as well give Al Qaida an on/off switch to your email system.
hth, korporal ken, civilian