On Wed, 29 May 2002, Arnt Gulbrandsen wrote: >[EMAIL PROTECTED] >> (6) For sections-- >> >> > 6.2.1. AUTHENTICATE Command >> >> and >> >> > 6.2.2. LOGIN Command >> >> some discussion of methods to limit the number of auth/login attempts >> allowed and/or other mechanisms to discourage name/password >> hacking (e.g. exponentially delay the server reply for failed attempts) >> might be appropriate. >It seens sensible to have an RFC discussing that, but should that RFC be >titled "IMAP"? >If there is such an RFC at present (somewhere in the SASL RFCs, for >example?), the IMAP RFC should refer to it and not say anything more. >IMNSHO. >If there isn't any, wouldn't it be best for the IMAP RFC to simply >recommend following the best current practices for discouraging >name/password hacking?
Doesn't the comment say "and/or other mechanisms to discourage name/password hacking"..? IMO, it does no harm to recommend mechanisms in the RFC for dropping the connection after N failed login attempts. Andy -- Andreas Aardal Hanssen
