[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password policy - alternate lockout mechanism

To: openldap-software@openldap.org
Subject: Re: password policy - alternate lockout mechanism
From: Aravind Gottipati <aravind@freeshell.org>
Date: Sun, 12 Jul 2009 23:14:02 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to :content-type:content-transfer-encoding; bh=9X95clyb49dzc1tL1+aMogsH6WdfL5YyqxvBSpCXEKM=; b=ll6wjoZqX7EbFEKsRW9rVoAqbCemA/N+qYtMTODzxz6RRod9nQdk5komeMEsXWqJ/K wTn9X4ZZlQ1A+DC6SUcosdZJ/np8UL7jqfCt6qwdxCK8EF79OaxmeaP6pIB8XJaFTuep ScFfxP+mlMQEKgaI/RNPyk1sqS5Shp767hgwg=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type :content-transfer-encoding; b=Q88i/7Mz688EWA4zmG/tL5LjGbOSgDchA7m/UbK98o2aZzk5iFuikZ6iMmYq8AEOHW 5gjfJXvzcWhpOysViS07VKT8K7La+FpQFy6QAfF8/KiPFlMax9NSbDpGP5oqWLDvM5jk 0jaejp1qOJ/ZMWWPVj5/N5qyObGo+EGSmS4ZA=
In-reply-to: <4A5ACBEE.7040400@symas.com>
References: <a1348d630901261702h2bc88204o2b21b549e18e936a@mail.gmail.com> <C65F80C878CCF24A9BC19646DE2DCA62021C0628@EXVG.fanniemae.com> <a1348d630901281315md8b28d2x51ff6a2b4b09f4aa@mail.gmail.com> <4980D453.3060808@symas.com> <C65F80C878CCF24A9BC19646DE2DCA62021C0655@EXVG.fanniemae.com> <4980EA31.8040500@symas.com> <C65F80C878CCF24A9BC19646DE2DCA62021C0658@EXVG.fanniemae.com> <a1348d630907122028k781dfbb0h6db3c441731e8e3c@mail.gmail.com> <4A5ABAD8.3070600@symas.com> <4A5ACBEE.7040400@symas.com>

On Sun, Jul 12, 2009 at 10:53 PM, Howard Chu<hyc@symas.com> wrote:
> Fix the real problem, not just the symptom. The approach you're pushing for
> is just putting a bandaid on a problem, not fixing it. This may be how other
> folks handle their software design problems, but it just doesn't fly for
> security issues.

Howard,

You are right that it's not correct for apps to continue trying to
authenticate with an incorrect password, or for them to fail silently.
 In a perfect word this would not happen.  Unfortunately, we can't
control all these apps or user's behaviors.  My choices are to either
ignore the problem and lock folks out after X failed attempts (whether
real of from faulty apps), or, not even implement any sort of
lockouts.  I am not sure how else I can explain this to you, but it's
a real problem and saying, "fix your apps" doesn't always work.

Aravind.

Follow-Ups:
- Re: password policy - alternate lockout mechanism
  - From: Howard Chu <hyc@symas.com>

References:
- Re: password policy - alternate lockout mechanism
  - From: Aravind Gottipati <aravind@freeshell.org>
- Re: password policy - alternate lockout mechanism
  - From: Howard Chu <hyc@symas.com>
- Re: password policy - alternate lockout mechanism
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: password policy - alternate lockout mechanism
Next by Date: Is OpenLDAP RFC 3687-compliant?
Index(es):
- Chronological
- Thread