[unisog] Anyone have a citation for an academic research study onwhether mandatory password changes increase security?
reggers at ist.uwaterloo.ca
Wed May 9 14:10:32 GMT 2007
>>> We recently enabled a system to block the ssh brute force crack. Within
>>> hours we had legit users blocked. I thought we had set up very generous
>>> limits, 10 wrong attempts on a valid account before blocking, 2 wrong on
>>> non-existent account. Who'd have thunk that that many users don't even
>>> their login name ? It's a waste on systems open to users.
> All lockout methods become a dos. If you just enforce pacing of ssh
> sessions, you win.
We authenticate against an active directory where the policy is 15 failed
logins followed by a 5 min lock out. This works well enough -- locking a
person out forever would be a DOS, locking them out for 5 minutes is not.
More information about the unisog