gregbo@houxm.UUCP (Greg Skinner) (03/29/85)
Instead of disabling the account, why not just drop the line after the Nth try at
guessing. There could also be a cache of recently tried account names, and a
routine to decrease N (the number of tries you can have for the account) upon re-
enabling of the line. That way, a password cracker will not have a equal number of
tries to get the password, and will quit. If he tries a random sampling of accounts
and passwords, a count can be made at the number of incorrect tries, and the line
dropped at the Nth try, and N decreased for the next try.
In general though, making it difficult for crackers to guess passwords is just as hard
(maybe even harder) than the actual guessing of passwords. Except in cases where
access to the resources must be at a minimum (like in a military environment), it's
not worth it to add extra code to the passwd program to frustrate crackers. Better
to just encourage people to use unguessable passwords, have them change theirs often,
and, if possible, generate random passwords for accounts.
--
... hey, we've gotta get out of this place,
there's got to be something better than this ...
Greg Skinner (gregbo)
{allegra,cbosgd,ihnp4}!houxm!gregbo
gregbo%houxm.uucp@harvard.arparon@brl-tgr.ARPA (Ron Natalie <ron>) (04/02/85)
> Instead of disabling the account, why not just drop the line after the Nth try at
Well, we log the failed attempts and drop the line. Although with the
port selectors and networks this doesn't bother people too much, they
just reconnect. My favorite is to silently ignore all input to login
after the third attempt.
-Ron