[Dovecot] Delay on failed pw attempts

Timo Sirainen tss at iki.fi
Tue Jan 1 23:22:31 EET 2008


On Tue, 2008-01-01 at 15:59 -0500, Dean Brooks wrote:
> Hi,
> 
> Is there a way, or can a way be added, to add an "auth_failed_delay=10s"
> style option that would put in an artificial delay after a failed
> password attempt?
> 
> As it stands now, Dovecot seems highly vulnerable to widescale
> brute-force password dictionary scans.
> 
> Even if it's not configurable, can a delay be hardcoded to something
> like, say, 10 or 15 seconds?

Failed auth requests are put to a queue that's flushed every 2 seconds.
So there is already a delay. I don't think it's a good idea to increase
it up from 2 seconds, it just gets annoying when you type the wrong
password accidentally.

Although I suppose I could change the code so that it always waits 2
seconds instead of flushing all of them.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080101/e281fcce/attachment.bin 


More information about the dovecot mailing list