[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [JunkMail] Re: Server side delay for bad passwords?

To: Dan White <dwhite@olp.net>
Subject: Re: [JunkMail] Re: Server side delay for bad passwords?
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Thu, 7 Feb 2008 13:54:34 -0500 (EST)
Cc: Howard Chu <hyc@symas.com>, openldap-software@openldap.org, Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
In-reply-to: <47AB4E6B.6070605@symas.com>
References: <47AB42FD.9070305@olp.net> <hbf.20080207zb4p@bombur.uio.no> <47AB4E6B.6070605@symas.com>

But I'd like to enforce a server side delay of, for example, 5
seconds.
User-friendliness aside, have a look at slapo-retcode.

Probably the right points -- but we all know what's more important than the users, let's think about *admin* friendliness. I'd like to believe that my servers are roughly "right-sized", but that means fractional-second response times. If I started putting even a small amount of those connections onto 5 second sleeps, things would get very bad in very short order. This assumes no malice, just the very-very-very regular batch of users with typos; I'd hate to think how bad this could get under the active attack you envision.

I suppose you could make your overlay do something heinous like drop the connection. But never allowing err=49 (or, much worse, disclosing information by *sometimes* err=49) seems like it would produce other forms of pain.

References:
- Server side delay for bad passwords?
  - From: Dan White <dwhite@olp.net>
- Re: Server side delay for bad passwords?
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: [JunkMail] Re: Server side delay for bad passwords?
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: [JunkMail] Re: Tuning cachesize
Next by Date: Re: Server side delay for bad passwords?
Index(es):
- Chronological
- Thread