Hello! On Thu, Oct 20, 2005 at 11:01:55PM +0200, Jesper Louis Andersen wrote: >[... what looks like good advice ...]
>A typical attack vector, however, for 1000+ account sites is a >compromised account. You can assume at least 5 per 1000 accounts are >compromised or have easily guessable passwords. Those will not heed your >policy forms whatever you do. You can mitigate the risk by separating >systems and limiting account access. When this is not possible, >ProPolice, W^X, StackGhost, etc will come in very handy. You can mitigate the risk of guessable passwords by checking passwords on change, using the minpasswordlen and passwordcheck fields of login.conf. Set passwordtries to 0 so the user can't override the password policy by insisting on the bad password. >[...] Kind regards, Hannah.
