You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rodent of Unusual Size <co...@decus.org> on 1997/03/30 16:33:48 UTC
PR #209 and delays in authentication retry
PR#209 complains that, since he uses his system passwd file as his
authentication source, Web-based attacks can be mounted on his
accounts with no governor. He wants us to impose a 5-second delay
before responding with an authentication failure.
I'd like to close this with a "not a chance" reply, but I want to
make sure no-one else thinks this is a good idea, or worth
considering, first. Penalising people who mis-spell their
passwords, or hit the CAPS-LOCK key, just because this chap uses his
system passwd file to limit access surely doesn't sound like The
Right Thing(tm) to me..
#ken :-/}
Re: PR #209 and delays in authentication retry
Posted by Rob Hartill <ro...@imdb.com>.
On Sun, 30 Mar 1997, Rodent of Unusual Size wrote:
> PR#209 complains that, since he uses his system passwd file as his
> authentication source, Web-based attacks can be mounted on his
> accounts with no governor. He wants us to impose a 5-second delay
> before responding with an authentication failure.
>
> I'd like to close this with a "not a chance" reply, but I want to
> make sure no-one else thinks this is a good idea, or worth
> considering, first. Penalising people who mis-spell their
> passwords, or hit the CAPS-LOCK key, just because this chap uses his
> system passwd file to limit access surely doesn't sound like The
> Right Thing(tm) to me..
Let him suffer.