On 04/19/2011 04:13, gnupg-users-requ...@gnupg.org wrote: > GnuPG Users <gnupg-users@gnupg.org> >
(1) apply the Strike 3, you're out rule. any password gate should apply this rule: if the requester does not know the password and submits repeated bad answers DISABLE ACCESS. Game over. (2) Controlling Help Desk Problems a) Secret questions are NOT a good idea as these facilitate guessing. generally people will not be very good as writing obfuscated questions b) Password management package could be a good idea. WE HAVE BEEN ASKING INDUSTRY FOR THIS FOR YEARS AS "SINGLE PASSWORD". You enter it ONCE: when you log on. c) TIMEOUT: a WRONG PASSWORD should CAUSE A DELAY. wrong password: 1 sec delay before next try. think what this does to a brute force attacker which might need to run thousands of tries per second... why is it we are always fussing over theoretical stuff instead of doing basic stuff that would help us? -- /MIKE
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users