On 8/27/07, David Boyes <[EMAIL PROTECTED]> wrote: > I think we will have to agree to disagree. Most of the security weasels > I know claim that the less information you give a potential intruder, > the better, but that stems from their mindset that *everyone* is a > potential intruder.
More like different context. For *authentication* it is good practice not to reveal any information when wrong credentials are supplied. This is where the weasels come from. It was just a nasty prank of me to do a password check that provided hits like "4 good, 2 at the wrong place" or the "next password" response. The approach to "revoke" a user when "someone" tried to logon to that account 3 times with a wrong password is imho more a security problem than a solution to one. But once the user is authenticated, it's not a potential intruder anymore. At that point, we normally assume the user is doing the right thing because business conduct guidelines will guide the user. If such a relation does not exist, you have entirely different problems that don't get solved by a "computer says No" response (see my "Less that G" approach). Rob