From owner-freebsd-isp Wed Apr 7 10:34:38 1999 Delivered-To: freebsd-isp@freebsd.org Received: from pcslink.com (pcslink.com [206.43.160.1]) by hub.freebsd.org (Postfix) with ESMTP id 58CD115818 for ; Wed, 7 Apr 1999 10:34:36 -0700 (PDT) (envelope-from ryan@pcslink.com) Received: (from ryan@localhost) by pcslink.com (8.8.7/8.6.12) id KAA25311; Wed, 7 Apr 1999 10:30:54 -0700 (MST) From: Ryan Mooney Message-Id: <199904071730.KAA25311@pcslink.com> Subject: Re: Web Based Script In-Reply-To: <370B9408.B8DB8F81@eclipse.net.uk> from Stuart Henderson at "Apr 7, 99 06:21:12 pm" To: stuart@eclipse.net.uk (Stuart Henderson) Date: Wed, 7 Apr 1999 10:30:54 -0700 (MST) Cc: leifn@neland.dk, danny@hilink.com.au, wcooley@nakedape.navi.net, freebsd-isp@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL31H (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > At least POP puts a delay between the bad logins, which slows > > password guessing down. > > That is down to the particular server you use, same as with http. (If > your httpd doesn't have a sleep for a bad password, assuming you have > source, it won't usually take long to find the relevant place to insert > one :) Yes but "clever hacker"(TM) can run multiple requests in parrallel for either one which basically renders the whole delay thing of questionable value. Of course its a wee little bit harder to do, but far from actually being difficult. The only cure is enforcing good passwords, or better using one time tokens (skey, etc...) (neither of which is feasible in this case, maybe SSL with mutual client/server certificate authentication if your really paranoid, but get your users to adopt it... ). >-=-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-=-< Ryan Mooney Phone (602)265-9188 PCSLink ryan@pcslink.com Internet Services NT is an excellent choice for managers who need to show that they used up their fiscal year budget for hardware/software expenditures. <-=-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-=-> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message