9 Nov
2009
9 Nov
'09
11:50 p.m.
On Mon, 2009-11-09 at 16:41 -0500, Timo Sirainen wrote:
On Mon, 2009-11-09 at 09:01 +0100, Steffen Kaiser wrote:
Any thoughts?
The only two remarks I have are that some well-known IPs should be able to bypass this check, e.g. NATed gateways of the organisation
Hmm. That seems like way too much trouble. Even just on/off setting annoys me.
Maybe:
- If hash(user+password) has already been tried from the IP within n minutes, trying it again wouldn't increase the delay.
But that might increase the memory usage too much.. But maybe it could be limited to just n hashes and it wouldn't be too bad.