To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.admin.generalOpen lugnet.admin.general in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Administrative / General / 7770
7769  |  7771
Subject: 
Re: LUGNET Memberships
Newsgroups: 
lugnet.people, lugnet.admin.general
Date: 
Mon, 25 Sep 2000 14:45:34 GMT
Viewed: 
69 times
  
In lugnet.people, Todd Lehman writes:

Disable accounts on repeated fails and you make it trivial to DoS someone.
Disable IP addresses and you lock out the innocent on shared proxy servers.


Not if you only disable loggin in as that user from that ip.

I'm not sure if I'm remembering the figures exactly, but IIRC it currently
passes 6-character pw's containing an average of approximately 24-26 bits of
unique information.  To make pw's more "practical" would mean dropping that
even further (26 is already somewhat risky) down to something like probably
18.  Even 2^20 is only one million, and 2^18 is only 1/4 million.  If someone
ran one innocuous HTTP request per second, it would take less than a week to
make 2^18 attempts in that more relaxed pw validation scenario.

2^18 is open net hockey for crackers.

I think a minimum of 6 characters is a good limit.  It's the character
diversity that is causeing problems.  Also, you could make failed attempts
take a few extra seconds to further delay brute force attacks.  You
cold even make successful logins take a few extra seconds just for good
measure.

BTW, no password is required to post right?

KL



Message has 1 Reply:
  Re: LUGNET Memberships
 
(...) Is there a way to tell if a given IP address is a shared proxy server or not? If you disable login access as one user from a given IP address, then you effectively disable login access as _all_ users from that IP address, because it would be (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)

Message is in Reply To:
  Re: LUGNET Memberships
 
(...) ouch. How easy is it for a thief to get your customer number? How many digits is your PIN? (...) natch. :) (...) Disable accounts on repeated fails and you make it trivial to DoS someone. Disable IP addresses and you lock out the innocent on (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)  

113 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact

This Message and its Replies on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    

Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR