Hi, > From a usability point of view, I think rounding up considerably on > numbers makes sense.
Ok, happy with that. At some point we're going to just have to pick a number, maybe I'll go for 2 hours. > Is the issue dictionary attacks? If that's the case, a one-minute > lockout would serve the purpose, wouldn't it? Kind of, it's all a trade-off between preventing brute force attacks and preventing denial of service attacks. > problematic. It would add some increased security if you were able to > see that the IP changed, and test if the change is acceptable (using > the GeoIP library to see the new and old location, and acceptable > changes should be regionally similar -- an IP should never switch from > the US to Russia, for instance). Ok, this sort of functionality has more recently been added to online banking sites - services like RSA PassMark do this. Not appropriate for our kind of sites I think. > What is the advantage of "hmac_sha1(master_salt, user_name)" over > "master_salt+username"? Minimal, it's just HMAC is specifically designed for combining two values in a hash like this. Paul _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev