Re: password policy - alternate lockout mechanism

[Kurt Zeilenga <Kurt@OpenLDAP.org>]

On Jan 27, 2009, at 12:14 PM, Clowser, Jeff wrote:

> That would be nice, but I can't help but think (without having thought
> it
> out in detail) that there would be a gotcha to this - performance  
> issue,
> security vulnerability saving all those attempted passwords, etc.

There is actually a significant security risk in keeping a history of  
such passwords.  While they might be invalid at the DSA for  
authentication, they are likely valid elsewhere.  That is, it quite  
likely that a user might enter passwords for related systems.  So  
keeping long term (pass the authentication request) exposes the user  
to greater risk.

Of course, one should note that lockout mechanisms are a major target  
of DoS attacks...

-- Kurt