Date: Wed, 7 Apr 1999 10:30:54 -0700 (MST) From: Ryan Mooney <ryan@pcslink.com> To: stuart@eclipse.net.uk (Stuart Henderson) Cc: leifn@neland.dk, danny@hilink.com.au, wcooley@nakedape.navi.net, freebsd-isp@FreeBSD.ORG Subject: Re: Web Based Script Message-ID: <199904071730.KAA25311@pcslink.com> In-Reply-To: <370B9408.B8DB8F81@eclipse.net.uk> from Stuart Henderson at "Apr 7, 99 06:21:12 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> > At least POP puts a delay between the bad logins, which slows > > password guessing down. > > That is down to the particular server you use, same as with http. (If > your httpd doesn't have a sleep for a bad password, assuming you have > source, it won't usually take long to find the relevant place to insert > one :) Yes but "clever hacker"(TM) can run multiple requests in parrallel for either one which basically renders the whole delay thing of questionable value. Of course its a wee little bit harder to do, but far from actually being difficult. The only cure is enforcing good passwords, or better using one time tokens (skey, etc...) (neither of which is feasible in this case, maybe SSL with mutual client/server certificate authentication if your really paranoid, but get your users to adopt it... <ugh>). >-=-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-=-< Ryan Mooney Phone (602)265-9188 PCSLink ryan@pcslink.com Internet Services NT is an excellent choice for managers who need to show that they used up their fiscal year budget for hardware/software expenditures. <-=-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-=-> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199904071730.KAA25311>