On Thu, 24 Feb 2011 11:24:22 EST, jf said: >(how come no one ever points out that rate-limiting failed logins is probably > more important than password complexity?) We once had an incident where after the guy whacked the box, he intentionally spammed the box with more incorrect logins, just so when we went to respond, none of the sysadmins were able to login because their accounts were all off in the "too many failed logins, logins suspended for 30 mins" limbo. Like most security features, rate-limiting logins can be used against you by an attacker with sufficient security jiu-jitsu.
Attachment:
pgp9fJLjnlwsD.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/