[sllug-members]: bad password delays

Lamont R. Peterson lamont at gurulabs.com
Wed Aug 23 16:06:54 MDT 2006 

On Wednesday 23 August 2006 11:30am, Andrew Johnson wrote:
> Ok, good point, though perhaps overkill in this situatuion.  Since the
> screensaver protects an already existing login session, there shouldn't be
> a way to reset the timer.  It isn't like a remote login where an attacker
> can just close the socket and try again.
>
> And anyway, if someone is trying to guess your screensaver password,
> they're probably sitting at the console.

Not necessarily.  It's not that hard to connect to an X server and get access 
to everything that's being displayed.  It is possible.

Thankfully, the default, out-of-the-box configuration of any modern-ish Linux 
distribution (i.e. something newer than debian-stable :) hehe) should have X 
not accepting any kind of network connection (only using UNIX sockets).

> Short of putting your computer 
> inside a safe, you aren't going to keep a determined attacker who has
> already gotten this far out for much longer.

True.

That's a point I always bring up in all of the security classes I teach.  It's 
amazing how many people get tunnel-vision when it comes to network security 
and, therefore, completely forget about physical security.

> On 8/18/06, Lamont R. Peterson <lamont at gurulabs.com> wrote:
> > No. No. No. :)
> >
> > There is a *very* basic principle in security which that idea completely
> > violates: "Always fail in the same way."  If you have fail states that
> > cause
> > different behavior, this will give an attacker information they can use
> > to narrow down their search.
> >
> > Let's say we implemented your idea.  An attacker would simply try 3
> > times, disconnect, try 3 times, disconnect, etc.  By "disconnect" I mean
> > whatever it
> > takes to reset the count.
-- 
Lamont R. Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]

NOTE:  All messages from this email address should be digitally signed with my
       0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as
       well as other keyservers that sync with MIT's.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://sllug.org/pipermail/sllug-members/attachments/20060823/5a2b2001/attachment.pgp

More information about the sllug-members mailing list