On Wednesday, November 26, 2003, at 04:50 AM, FileMatrix wrote:


However, this still leaves an account opened for automated password
cracking. Therefore, the system has to lock (for 24 hours) an account for
which there are too many consecutive failed log-ins (for example, 10). This
means that each PIK must be unique, so that the system can at any time
determine to what account each PIK belongs.

No George, as I said in an earlier email, there is no way for Pecunix to lock out an account for repeated invalid login attempts. Pecunix cannot identify an account just from the small portion of the PIK entered on a login attempt. Only the secret account id identifies the account, so if a hacker is trying those at random there is obviously no way for Pecunix to know which account to lock out.


Besides, as Ian Green points out, locking out an account for repeated invalid login attempts can have some very bad unintended consequences:

I agree with you George, but I would be concerned that such a lock out
system not be used as a denial of service method for attackers. For
example, a competitor could make a login attempt every nine, ten or
eleven seconds to the FileMatrix e-gold account and then take advantage
of the disgruntled FileMatrix customers who got bad service.

-- Patrick



--- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]

Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.

Reply via email to