On 8 Sep 2006, in the Usenet newsgroup comp.security.misc, in article
<1157756221.128590.207380@i3g2000cwc.googlegroups. com>, John wrote:
>web password is commonly used in many web applications that require
>authentication.
Please remember that there is a heck of a lot more to computers than some
wonky web browser. The World Wide Web was invented some ten years _after_
the Internet.
>The question is what should the system do if there are multiple
>consecutive failed authentication attempts with a valid username but
>incorrect password? Should the system lock the account, or don't do
>anything?
That depends on your threat model, and possibly what accounts they are.
IN GENERAL, locking the account is not usually a desired action. It's a
perfect Denial Of Service mechanism.
>I tried several famous email accounts and entered the incorrect
>password on purpose, but they didn't lock the account.
A more common solution is to slow the responses after a few (perhaps three)
failed login attempts. You type in a bad username or password, and the
program at the other end of the process waits a progressively longer and
longer time to tell you that the login attempt was incorrect. This normally
has no effect on the response to a valid username/password.
Another solution often seen to zombies trying to login to an SSH server
is that the remote IP address can be blackholed - perhaps for a few minutes
or even hours.
>please discuss. thanks!!
Practical UNIX and Internet Security, Third Edition, Garfinkel, Spafford,
and Schwartz Feb 2003, $54.95, ISBN 0-596-00323-4, 984 pages, O'Reilly
That's one of 47 different books on computer security from O'Reilly (see
www.ora.com). If UNIX is a dirty word to you, there are even a dozen books
aimed at windoze. I'm sure there are dozens of other such books available
from other publishers as well - a google search is suggested.
Old guy
how to handle failed login attempts? 
Linear Mode
