assurance - Re: [Assurance] Password Strength Requirements
Subject: Assurance
List archive
- From: David Bantz <>
- To:
- Subject: Re: [Assurance] Password Strength Requirements
- Date: Wed, 8 Aug 2012 11:56:48 -0800
We do recognize that lockout on failed authN is a DoS API.
The rationale for implementing anyway is that actual exploit
would trigger an investigation leading to the miscreant or
circumvention by blacklisting, etc.
We silently suspend logins in LDAP for 30 minutes following
5 wrong password submissions. This limits the total number
of attempts over the life of the password so can be used to
increase calculated password entropy.
Informal assessment of experience is that DoS is much less
frequent than repeated mis-typing or mis-remembered password.
In response we have considered changing password policy
to lock after total lifetime bad password submissions hits, say
10,000.
Joe's alternative of blocking login attempts from offending IP
only is marginally better in foiling DoS by those unable to use or
spoof multiple IP addresses.
David Bantz
U Alaska
On Wed, 8 Aug 2012, at 11:33 , Cantor, Scott wrote:
> On 8/8/12 2:51 PM, "Joe St Sauver"
> <>
> wrote:
>>
>> My concern with employing that approach would be that it could easily be
>> exploited for a trivial denial of service attack:
>
> I've gotten exactly nowhere arguing that this is a problem. That's
> somewhat reinforced by the fact that we've been doing it here for a while
> with no problems. Are there actual examples of this happening?
>
> The perspective here seems to be that the risk is low and the standard
> network scans we do detecting unusual activity would slam down fast enough.
>
> -- Scott
>
- [Assurance] Password Strength Requirements, Benn Oshrin, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Brendan Bellina, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Eric Goodman, 08/08/2012
- RE: [Assurance] Password Strength Requirements, Dergenski, Todd A., 08/08/2012
- Re: [Assurance] Password Strength Requirements, Brendan Bellina, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Tom Scavo, 08/09/2012
- <Possible follow-up(s)>
- Re: [Assurance] Password Strength Requirements, Joe St Sauver, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
- Re: [Assurance] Password Strength Requirements, David Bantz, 08/08/2012
- [Assurance] Re: Password Strength Requirements, Jon Miner, 08/08/2012
- Re: [Assurance] Re: Password Strength Requirements, Stefan Wahe, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Joe St Sauver, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Brendan Bellina, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Brendan Bellina, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Joe St Sauver, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Joe St Sauver, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
Archive powered by MHonArc 2.6.16.