On Fri, 2011-03-04 at 17:22 -0500, Shawn Milochik wrote: > the thread referred to above discusses throttling, whereas the > "recommendation" provided to us by the auditors was user lockout > requiring administrator activity (human intervention) to unlock.
This *creates* a denial of service vulnerability, especially if your usernames are public. (Otherwise the attacker has to guess at them.) Richard
signature.asc
Description: This is a digitally signed message part