[unisog] Anyone have a citation for an academic research study onwhether mandatory password changes increase security?

Reg Quinton reggers at ist.uwaterloo.ca
Wed May 9 14:10:32 GMT 2007

>>> We recently enabled a system to block the ssh brute force crack. Within 
>>> 48
>>> hours we had legit users blocked. I thought we had set up very generous
>>> limits, 10 wrong attempts on a valid account before blocking, 2 wrong on 
>>> a
>>> non-existent account. Who'd have thunk that that many users don't even 
>>> know
>>> their login name ? It's a waste on systems open to users.
> All lockout methods become a dos. If you just enforce pacing of ssh
> sessions, you win.

We authenticate against an active directory where the policy is 15 failed 
logins followed by a 5 min lock out. This works well enough -- locking a 
person out forever would be a DOS, locking them out for 5 minutes is not.

More information about the unisog mailing list