[sllug-members]: bad password delays
Lamont R. Peterson
lamont at gurulabs.com
Fri Aug 18 15:10:14 MDT 2006
On Thursday 17 August 2006 09:01am, Andrew Johnson wrote:
> A more sensible approach might be to allow 3 unsuccessful attempts before
> enforcing the delay,
No. No. No. :)
There is a *very* basic principle in security which that idea completely
violates: "Always fail in the same way." If you have fail states that cause
different behavior, this will give an attacker information they can use to
narrow down their search.
Let's say we implemented your idea. An attacker would simply try 3 times,
disconnect, try 3 times, disconnect, etc. By "disconnect" I mean whatever it
takes to reset the count.
In this case, we're talking about Xscreensaver, so what you say next could
apply.
> but that means keeping track of state, which might be
> hard in the design of Xscreensaver.
> I've noticed Gnome's new screensaver
> in Dapper Drake is less annoying when you use an incorrect password, at
> least for the first two attempts. Maybe it has some of this sort of logic.
I believe that it's still Xscreensaver; it just has a better dialog that's
been implemented (finally!). It's in FC5 and I think SUSE Linux
10.1/SLES10/SLED10. I could be wrong about this as I haven't bothered to
really check.
[snip]
--
Lamont R. Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
NOTE: All messages from this email address should be digitally signed with my
0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as
well as other keyservers that sync with MIT's.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://sllug.org/pipermail/sllug-members/attachments/20060818/4f995d9d/attachment.pgp
More information about the sllug-members
mailing list