USS Clueless Stardate 20010627.1543

  USS Clueless

             Voyages of a restless mind

Main:
normal
long
no graphics

Contact
Log archives
Best log entries
Other articles

Site Search

Stardate 20010627.1543 (On Screen): There seems to be a problem here. Either Win2K's LDAP allows an arbitrarily large number of password attempts remotely (permitting a brute force dictionary attack) or it permits a fixed number of attacks and then shuts off permission, which permits an easy denial-of-service attack. (You could lock someone out of their own machine by hitting their account enough times to get their account locked.)

There's another security approach in between these two. Make it so that there's a moderate time expense per miss. If five password attempts fail, then lock the account for ten minutes. Then unlock it again. That has the effect of preventing a dictionary attack (because the rate of probes drops too far to be feasible) while not permitting the DOS (because the account isn't permanently locked). (discuss)

Captured by MemoWeb from http://denbeste.nu/entries/00000168.shtml on 9/16/2004