On Tue, Jan 27, 2009 at 2:01 PM, Clowser, Jeff
<jeff_clowser@fanniemae.com> wrote:
I will say that if such an enhancement *were* to be implemented, it
would probably eliminate almost all our false positives and only lock
out users for extreme cases and genuine attacks...
Yup, this is proving to be a pita for us. Folks login from multiple
machines and get locked out when they forget to propagate their
password changes to all those machines.
Also, I am not sure how this will be any greater security risk than
the current system of storing a SSHA hash of the current password
within LDAP? We could store similar hashes of all the passwords tried
(upto pwdMaxFailure) and compare against that?