Subject:
|
Re: Automated password appraisal (Re: New feature: Article rating)
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Thu, 30 Mar 2000 23:29:10 GMT
|
Highlighted:
|
(details)
|
Viewed:
|
3803 times
|
| |
|
|
In lugnet.admin.general, Dan Boger writes:
> > As an aside, would you actually allow someone to brute-force hack into a
> > LUGNET account? Or disable the account for X hours automatically after Y
> > fails? If Y was 5 or something else low, then the possibility of brute-force
> > hacks is significantly reduced?
>
> defenitly - disable for 30 minutes after 5 failed attempts, counting a
> bad cookie as an attempt...
You could make it stricter I think, send out an email warning with a code# to
the member, and block access until they have replied. You could either use the
code# to automate unblocking the account, or as part of a manual check. The
code# would prevent the potential hacker from forging the members email
address. Mind you, if the hacker had hacked into the mail account, then they
could unblock it that way. The mail account would probably be easier to hack
into than LUGNET anyway ;-)
Richard
|
|
Message is in Reply To:
309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
