Assurance

[David Bantz <>]

We do recognize that lockout on failed authN is a DoS API.
The rationale for implementing anyway is that actual exploit 
would trigger an investigation leading to the miscreant or 
circumvention by blacklisting, etc.

We silently suspend logins in LDAP for 30 minutes following
5 wrong password submissions.  This limits the total number
of attempts over the life of the password so can be used to 
increase calculated password entropy.

Informal assessment of experience is that DoS is much less 
frequent than repeated mis-typing or mis-remembered password.
In response we have considered changing password policy
to lock after total lifetime bad password submissions hits, say
10,000.  

Joe's alternative of blocking login attempts from offending IP
only is marginally better in foiling DoS by those unable to use or
spoof multiple IP addresses.

David Bantz
U Alaska

On Wed, 8 Aug 2012, at 11:33 , Cantor, Scott wrote:

> On 8/8/12 2:51 PM, "Joe St Sauver" 
> <>
>  wrote:
>> 
>> My concern with employing that approach would be that it could easily be
>> exploited for a trivial denial of service attack:
> 
> I've gotten exactly nowhere arguing that this is a problem. That's
> somewhat reinforced by the fact that we've been doing it here for a while
> with no problems. Are there actual examples of this happening?
> 
> The perspective here seems to be that the risk is low and the standard
> network scans we do detecting unusual activity would slam down fast enough.
> 
> -- Scott
>