Lockout

[Nicolas Williams]

On Mon, Sep 21, 2009 at 11:12:04AM -0700, Russ Allbery wrote:
> Nicolas Williams <Nicolas.Williams at sun.com> writes:
> 
> > What's really desired here is a way to slow down password guessing
> > attacks.  Account "lockout" is just what this technique evolved from.
> 
> This is partly out of context and I suspect the end solution will work for
> this regardless, but to mention: I don't know about others who are looking
> at this feature, but what Stanford would need is account lockout, even if
> it's not effective at slowing down password guessing attacks.  That's
> because the requirement is regulatory, not technical.  The security
> standards with which we have to comply (specifically PCI) names account
> lockout specifically, not just techniques to slow down password guessing.

I'm quite aware of the regulatory nature of the requirement.  But from a
real security point of view the correct requirement should be to detect
and mitigate password guessing attacks.

Nico
--