[Dovecot] Delay on failed pw attempts
Timo Sirainen
tss at iki.fi
Tue Jan 1 23:22:31 EET 2008
On Tue, 2008-01-01 at 15:59 -0500, Dean Brooks wrote:
> Hi,
>
> Is there a way, or can a way be added, to add an "auth_failed_delay=10s"
> style option that would put in an artificial delay after a failed
> password attempt?
>
> As it stands now, Dovecot seems highly vulnerable to widescale
> brute-force password dictionary scans.
>
> Even if it's not configurable, can a delay be hardcoded to something
> like, say, 10 or 15 seconds?
Failed auth requests are put to a queue that's flushed every 2 seconds.
So there is already a delay. I don't think it's a good idea to increase
it up from 2 seconds, it just gets annoying when you type the wrong
password accidentally.
Although I suppose I could change the code so that it always waits 2
seconds instead of flushing all of them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080101/e281fcce/attachment.bin
More information about the dovecot
mailing list