web-security methods, advice please!
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Tue Jan 2 20:03:11 UTC 2007
On Tue, Jan 02, 2007 at 01:45:08PM -0500, Sy Ali wrote:
> I'm confused.. why not implement this idea server-side.. to
> automatically delay multiple password attempts?
>
> Or better yet.. five password failures locks an IP out for x hours and
> logs the event.
>
> Perhaps these ideas would help against the brute force worries.
Well making a strong hash is more for making sure you can't crack the
password if you somehow get a hold of the password database.
Of course if you can get the password database, you already have access
to the machine it would seem, in which case why try to break the
passwords, just take the data you want directly instead and forget about
the whole password mess. It isn't as if these are password hashes sent
over the internet. The plaintext password is being sent over the
internet so the hash is only to protect against decoding the password if
you manage to crack the security of the server in the first place.
Probably spending energy in trying to secure the wrong thing.
--
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list