[Dovecot] Delay on failed pw attempts
Timo Sirainen
tss at iki.fi
Wed Jan 2 00:06:13 EET 2008
On Tue, 2008-01-01 at 16:47 -0500, Dean Brooks wrote:
> > Failed auth requests are put to a queue that's flushed every 2 seconds.
> > So there is already a delay. I don't think it's a good idea to increase
> > it up from 2 seconds, it just gets annoying when you type the wrong
> > password accidentally.
>
> I think the majority of Dovecot users would propose that 2 seconds is
> much too short, and that the annoyance of an occasional rare wrong
> password is of little concern given the high number of dictionary
> attacks occuring nowadays.
>
> This *really* needs to be configurable. For our site, I would probably
> set the delay to 15 seconds. Others might want it at the very low
> 2 seconds like you suggest.
I don't really like adding settings that just tweak a small detail, but
I guess there's no good default value to this then. v1.1 has now
auth_failure_delay setting.
For v1.0 you can change src/auth/auth-request-handler.c line:
to_auth_failures = timeout_add(2000, auth_failure_timeout, NULL);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080102/5ac2d877/attachment-0001.bin
More information about the dovecot
mailing list