[Dovecot] SQL/LDAP Lockouts?

Dan Stromberg strombrg at dcs.nac.uci.edu
Fri Dec 10 18:56:03 EET 2004


On Fri, 2004-12-10 at 06:17 +0100, Wouter Van Hemel wrote:
> On Thu, 9 Dec 2004, Ben Beuchler wrote:
> 
> > On Thu, Dec 09, 2004 at 09:20:21PM +0000, Paul Reilly wrote:
> >
> >>> Then again, the convention net.wisdom at least -used- to be that this
> >>> was a bad idea, because it became an easy DOS attack.
> >>>
> >> I take your point. But at the same time if there's no lockout mechanism
> >> a brute force attack will eventually guess the passwords.
> >
> > Tarpitting seems like a good approach, here.
> >
> >
> 
> I was just about to mail the same. That might be a nice post-1.0 feature. 
> Especially if more software will use dovecot for authentication.

I almost mailed that too, but then I realized that it would complicate
brute-forcing only slightly:

1) If you get a good auth, you're in
2) If you get a bad auth, or the response takes more than n
milliseconds/seconds, try the next password

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachments/20041210/e64d0ce1/attachment-0001.bin>


More information about the dovecot mailing list