On 04/19/2011 04:13, gnupg-users-requ...@gnupg.org wrote:
> GnuPG Users <gnupg-users@gnupg.org>
>

(1) apply the Strike 3, you're out rule.  any password gate should apply
this rule: if the requester does not know the password and submits
repeated bad answers DISABLE ACCESS. Game over.

(2) Controlling Help Desk Problems

a) Secret questions are NOT a good idea as these facilitate guessing.
generally people will not be very good as writing obfuscated questions

b) Password management package could be a good idea. WE HAVE BEEN ASKING
INDUSTRY FOR THIS FOR YEARS AS "SINGLE PASSWORD".  You enter it ONCE:
when you log on.

c) TIMEOUT: a WRONG PASSWORD should CAUSE A DELAY.  wrong password: 1
sec delay before next try.  think what this does to a brute force
attacker which might need to run thousands of tries per second...

why is it we are always fussing over theoretical stuff instead of doing
basic stuff that would help us?

-- 
/MIKE

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to