You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Rodent of Unusual Size <co...@decus.org> on 1997/03/30 16:33:48 UTC

PR #209 and delays in authentication retry

    PR#209 complains that, since he uses his system passwd file as his
    authentication source, Web-based attacks can be mounted on his
    accounts with no governor.  He wants us to impose a 5-second delay
    before responding with an authentication failure.

    I'd like to close this with a "not a chance" reply, but I want to
    make sure no-one else thinks this is a good idea, or worth
    considering, first.  Penalising people who mis-spell their
    passwords, or hit the CAPS-LOCK key, just because this chap uses his
    system passwd file to limit access surely doesn't sound like The
    Right Thing(tm) to me..

    #ken    :-/}

Re: PR #209 and delays in authentication retry

Posted by Rob Hartill <ro...@imdb.com>.

On Sun, 30 Mar 1997, Rodent of Unusual Size wrote:

>     PR#209 complains that, since he uses his system passwd file as his
>     authentication source, Web-based attacks can be mounted on his
>     accounts with no governor.  He wants us to impose a 5-second delay
>     before responding with an authentication failure.
> 
>     I'd like to close this with a "not a chance" reply, but I want to
>     make sure no-one else thinks this is a good idea, or worth
>     considering, first.  Penalising people who mis-spell their
>     passwords, or hit the CAPS-LOCK key, just because this chap uses his
>     system passwd file to limit access surely doesn't sound like The
>     Right Thing(tm) to me..

Let him suffer.