Hi My idea is to store this information per user, so the others keep unaffected from locked mailboxes.
Another Possibility is to lock the account only for an specific amount of time (lets say 10 minutes) after 3 password fails. So if somebody tries some hardcore brute force, the database grows only for a small period of time. Unfortunaltly i'm not a good C coder, bit I'll try to do this, when i have some spare time avail... this could be a chance to get into C a little bit more :) CU Flo -----Ursprüngliche Nachricht----- Von: Paul L. Allen [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 25. September 2003 16:13 An: [EMAIL PROTECTED] Betreff: Re: WG: [vchkpw] lock account after login failures Feucht, Florian writes: > is this problem unsolvable, or did i say something wrong? Doing it the way you suggest, counting failures, means remembering state somewhere, somehow. If you have a lot of idiot users, this state could become very large and slow. Also there are two possible denial of service attacks: the first is somebody deliberately giving a bad password several times to lock some user out; the second is somebody deliberately giving a bad password for every user on your system in order to make the state cdb large and slow. A simpler, but less effective, mechanism is for vchkpw to sleep for several seconds before it returns an "invalid password" response. Again, there is a denial of service attack which can be used if somebody has a big enough computer or a distributed attack network: keep giving bad passwords for all users so there are lots of processes sleeping and your machine spends all its time swapping them in and out. -- Paul Allen Softflare Support
