[sllug-members]: bad password delays
Andrew Johnson
tehlaser at gmail.com
Wed Aug 23 11:30:20 MDT 2006
Ok, good point, though perhaps overkill in this situatuion. Since the
screensaver protects an already existing login session, there shouldn't be a
way to reset the timer. It isn't like a remote login where an attacker can
just close the socket and try again.
And anyway, if someone is trying to guess your screensaver password, they're
probably sitting at the console. Short of putting your computer inside a
safe, you aren't going to keep a determined attacker who has already gotten
this far out for much longer.
On 8/18/06, Lamont R. Peterson <lamont at gurulabs.com> wrote:
>
> No. No. No. :)
>
> There is a *very* basic principle in security which that idea completely
> violates: "Always fail in the same way." If you have fail states that
> cause
> different behavior, this will give an attacker information they can use to
> narrow down their search.
>
> Let's say we implemented your idea. An attacker would simply try 3 times,
> disconnect, try 3 times, disconnect, etc. By "disconnect" I mean whatever
> it
> takes to reset the count.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://sllug.org/pipermail/sllug-members/attachments/20060823/fbf1ca1c/attachment.html
More information about the sllug-members
mailing list