On Sat, May 14, 2005 at 07:22:56PM -0700, Steve Langasek wrote: > > I also think it would be really "cool"(TM) if the system could display > > a message "password expired" or "account is locked" if the user > > successfully authenticates to the system but is unable to authorize > > the user to use the system. This saves the user wondering "did I use > > the correct password?", "Did I enter it in correctly?", etc. > > This leaks information to attackers about the state of the account.
Hence "could": I don't consider the fact that an account is expired or locked (or exists, for that matter) to be sensitive information, for my uses, and would much prefer to give proper error messages. People with different security needs/philosophies use different policies ... (I'd be satisfied if I could convinced logins/su to not force a pointless delay on an incorrect password--the only thing more annoying than mistyping my password is having my own system force me to wait. One of these days I'll get annoyed enough by this to track down why "FAIL_DELAY 0" isn't being honored ...) -- Glenn Maynard -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
