[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] account lockout after x incorrect attempts???

Baenen Eric P Contr AFRL/HEC wrote:
> The SUSE secure alternative of login delays (ours set to 20 seconds) quite
> effectively deters brute force attacks and logging of failed login attempts
> with notification gives us indications when "something isn't right" - but
> unfortunately we don't have a say in the matter.
Did 'management' say how *long* the lockout had to be? The 20 second
delay could be characterized as a very brief "lockout". If they don't
like that, then change the number to 20 minutes, or 20 years if they
really insist.

Better yet would be if the delay grew exponentially with each failure.

Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here