[Dovecot] SQL/LDAP Lockouts?
Dan Stromberg
strombrg at dcs.nac.uci.edu
Fri Dec 10 18:56:03 EET 2004
On Fri, 2004-12-10 at 06:17 +0100, Wouter Van Hemel wrote:
> On Thu, 9 Dec 2004, Ben Beuchler wrote:
>
> > On Thu, Dec 09, 2004 at 09:20:21PM +0000, Paul Reilly wrote:
> >
> >>> Then again, the convention net.wisdom at least -used- to be that this
> >>> was a bad idea, because it became an easy DOS attack.
> >>>
> >> I take your point. But at the same time if there's no lockout mechanism
> >> a brute force attack will eventually guess the passwords.
> >
> > Tarpitting seems like a good approach, here.
> >
> >
>
> I was just about to mail the same. That might be a nice post-1.0 feature.
> Especially if more software will use dovecot for authentication.
I almost mailed that too, but then I realized that it would complicate
brute-forcing only slightly:
1) If you get a good auth, you're in
2) If you get a bad auth, or the response takes more than n
milliseconds/seconds, try the next password
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20041210/e64d0ce1/attachment.pgp
More information about the dovecot
mailing list