Hi! On Sam, 2009-05-09 at 12:51 -0700, bob 001 wrote: [...] > Do we have any setting where we can set maximum retries for wrong > password before it locks the account or something like that? > > isn't it otherwise easily breakable via bots by trying different > passwords to the same web url.
Easily? see another mail. The problem with such schemes is that it's quite easy to lock out others: You get the email addresses from the archive and try unless it fails. At least it pisses of the list admin if he has to explicitly enabled lots of accounts every other day ..... > How'z experts here controlling this piece of security? All of: - Let people only login over https. - Use really random passwords (and long - not only 8 characters). E.g. the "expect" package has a `mkpasswd` program to generate such. - Depending on the security situation of your laptop/desktop/..., most browsers allow you to let them remember the password for you. So you have to really enter it only the first time. And a usual strategy is that you disable login for an account for one second after the first wrong try. And after each other, you double the time. That "allows" the user to mistype a few times without any noticable drawback - and after 3 failed attempts I usually hit the "send password" button anyways. And after some time the system forgets (or reduces) the number of failed attempts. The other - IMHO more effective - solution is to count attempts for each IP address separately. But that may lead to a potential DoS attack against the server (because one needs the space to store that. And current bot/zombie nets are quite large and come in from lots of IP addresses). Hmm, perhaps having one counter per IP address (and use that one counter for all IP address for all accounts) is good enough. Or cumulate /24 or /28 nets (which allows the zombie-PC of your "IP address neighbor" to disable your account). Does such added security (if it actually is) outweighs the efforts and risks given the possible damage (as outlined in another mail)? Bernd -- Firmix Software GmbH http://www.firmix.at/ mobil: +43 664 4416156 fax: +43 1 7890849-55 Embedded Linux Development and Services ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9