[Dovecot] Delay on failed pw attempts

Dean Brooks dean at iglou.com
Tue Jan 1 23:47:56 EET 2008


On Tue, Jan 01, 2008 at 11:22:31PM +0200, Timo Sirainen wrote:
> On Tue, 2008-01-01 at 15:59 -0500, Dean Brooks wrote:
> > Is there a way, or can a way be added, to add an "auth_failed_delay=10s"
> > style option that would put in an artificial delay after a failed
> > password attempt?
> > 
> > As it stands now, Dovecot seems highly vulnerable to widescale
> > brute-force password dictionary scans.
> > 
> > Even if it's not configurable, can a delay be hardcoded to something
> > like, say, 10 or 15 seconds?
> 
> Failed auth requests are put to a queue that's flushed every 2 seconds.
> So there is already a delay. I don't think it's a good idea to increase
> it up from 2 seconds, it just gets annoying when you type the wrong
> password accidentally.

I think the majority of Dovecot users would propose that 2 seconds is
much too short, and that the annoyance of an occasional rare wrong
password is of little concern given the high number of dictionary
attacks occuring nowadays.

This *really* needs to be configurable.  For our site, I would probably
set the delay to 15 seconds.  Others might want it at the very low
2 seconds like you suggest.

I suppose I could spend the development time to do this and then post
my patch on the Wiki for everyone who needs it, but it seems like this
would be better done in the official sources instead of requiring
everyone to download a one-off patch.

--
Dean Brooks
dean at iglou.com


More information about the dovecot mailing list