[Dovecot] Delay on failed pw attempts
Benjamin R. Haskell
dovecot at benizi.com
Tue Jan 1 23:42:45 EET 2008
On Tue, 1 Jan 2008, Timo Sirainen wrote:
> On Tue, 2008-01-01 at 15:59 -0500, Dean Brooks wrote:
>> Hi,
>>
>> Is there a way, or can a way be added, to add an "auth_failed_delay=10s"
>> style option that would put in an artificial delay after a failed
>> password attempt?
>>
>> As it stands now, Dovecot seems highly vulnerable to widescale
>> brute-force password dictionary scans.
>>
>> Even if it's not configurable, can a delay be hardcoded to something
>> like, say, 10 or 15 seconds?
>
> Failed auth requests are put to a queue that's flushed every 2 seconds.
> So there is already a delay. I don't think it's a good idea to increase
> it up from 2 seconds, it just gets annoying when you type the wrong
> password accidentally.
>
I'd think the increase in effort required for a dictionary attack would
outweigh the infrequent inconvenience to valid users.
> Although I suppose I could change the code so that it always waits 2
> seconds instead of flushing all of them.
>
Any reason that '2 seconds' couldn't be configurable (with a default of
2)? In my situation, I'm the only user of my system, and I use reasonably
secure passwords, so brute-force doesn't really scare me. As a sysadmin at
an ISP or company with (too-)lenient password requirements, on the other
hand, it'd be nice to slow an attack by a larger factor.
Best,
Ben
More information about the dovecot
mailing list