Nicolas.Williams at sun.com
Mon Sep 21 14:16:27 EDT 2009
On Mon, Sep 21, 2009 at 11:12:04AM -0700, Russ Allbery wrote:
> Nicolas Williams <Nicolas.Williams at sun.com> writes:
> > What's really desired here is a way to slow down password guessing
> > attacks. Account "lockout" is just what this technique evolved from.
> This is partly out of context and I suspect the end solution will work for
> this regardless, but to mention: I don't know about others who are looking
> at this feature, but what Stanford would need is account lockout, even if
> it's not effective at slowing down password guessing attacks. That's
> because the requirement is regulatory, not technical. The security
> standards with which we have to comply (specifically PCI) names account
> lockout specifically, not just techniques to slow down password guessing.
I'm quite aware of the regulatory nature of the requirement. But from a
real security point of view the correct requirement should be to detect
and mitigate password guessing attacks.
More information about the krbdev