10 Dec
2004
10 Dec
'04
6:56 p.m.
On Fri, 2004-12-10 at 06:17 +0100, Wouter Van Hemel wrote:
On Thu, 9 Dec 2004, Ben Beuchler wrote:
On Thu, Dec 09, 2004 at 09:20:21PM +0000, Paul Reilly wrote:
Then again, the convention net.wisdom at least -used- to be that this was a bad idea, because it became an easy DOS attack.
I take your point. But at the same time if there's no lockout mechanism a brute force attack will eventually guess the passwords.
Tarpitting seems like a good approach, here.
I was just about to mail the same. That might be a nice post-1.0 feature. Especially if more software will use dovecot for authentication.
I almost mailed that too, but then I realized that it would complicate brute-forcing only slightly:
- If you get a good auth, you're in
- If you get a bad auth, or the response takes more than n milliseconds/seconds, try the next password