Hi!
On Sam, 2009-05-09 at 12:51 -0700, bob 001 wrote:
[...]
> Do we have any setting where we can set maximum retries for wrong
> password before it locks the account or something like that?
>
> isn't it otherwise easily breakable via bots by trying different
> passwords to the same web url.
Easily? see another mail.
The problem with such schemes is that it's quite easy to lock out
others: You get the email addresses from the archive and try unless it
fails.
At least it pisses of the list admin if he has to explicitly enabled
lots of accounts every other day .....
> How'z experts here controlling this piece of security?
All of:
- Let people only login over https.
- Use really random passwords (and long - not only 8 characters). E.g.
the "expect" package has a `mkpasswd` program to generate such.
- Depending on the security situation of your laptop/desktop/..., most
browsers allow you to let them remember the password for you. So
you have to really enter it only the first time.
And a usual strategy is that you disable login for an account for one
second after the first wrong try. And after each other, you double the
time.
That "allows" the user to mistype a few times without any noticable
drawback - and after 3 failed attempts I usually hit the "send password"
button anyways.
And after some time the system forgets (or reduces) the number of failed
attempts.
The other - IMHO more effective - solution is to count attempts for each
IP address separately. But that may lead to a potential DoS attack
against the server (because one needs the space to store that. And
current bot/zombie nets are quite large and come in from lots of IP
addresses).
Hmm, perhaps having one counter per IP address (and use that one counter
for all IP address for all accounts) is good enough.
Or cumulate /24 or /28 nets (which allows the zombie-PC of your "IP
address neighbor" to disable your account).
Does such added security (if it actually is) outweighs the efforts and
risks given the possible damage (as outlined in another mail)?
Bernd
--
Firmix Software GmbH http://www.firmix.at/
mobil: +43 664 4416156 fax: +43 1 7890849-55
Embedded Linux Development and Services
------------------------------------------------------
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Security Policy: http://wiki.list.org/x/QIA9
