Re: Failed Login Attempts parameter

* Craig James (cjames@emolecules.com) wrote:
> A far better approach is an escalating delay. Check the number of failed
> login attempts N and delay (for example) N^2 seconds before responding
> again.  Legitimate users are mildly inconvenienced, and hackers are
> severely hampered.

Sadly, in certain environments (US Federal organizations which are
required to follow FISMA), a lock-after-X-attempts control is required.

We dealt with this by utilizing the PAM authentication method with
pam_tally.  It's kind of ugly, but it can be made to work.  Other
alternatives are using Kerberos or Certificate-based authentication
where the user has to acquire initial credenials through some other
mechanism and then those have a limited time of usefulness (eg: Kerberos
tickets only last 10 hours).  By using those credentials instead of
having database-based password requirements, you can avoid the entire
problem (along with password ageing, etc..).

    Thanks,

        Stephen