 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Wed, 8 Feb 2006 16:20:55 -0800 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
Hi Greg :)
uh... I worded that badly... trying to get over a very bad cold... meds
to bad things to my wording :)
What I meant was that Counterpane will alert us if there are too many
attempts in a specified amount of time ... which signals that there is a
"robotic" attempt being made to find a valid user id on a system... hit
return on a 3k that hasn't had the messages changed... user doesn't exist
type message comes back... if you have a valid user id such as manager.sys
but a bad password you get a different message you now know that
manager.sys is a valid user id and can go to work on the password...
The manager.sys account should be locked out after 3 failed attempts to
guess/mistype the password... This does raise issues and risks... see your
corporate Security Policies.
The issue of a timed lockout that unlocks after a specified period of
time is an option and will need to be evaluated in the context of your
corporation's security policies.
Art "snif, snif" Bahrs
=======================================================
Art Bahrs, CISSP Information Security The Regence Group
(503) 225-4992 FAX (503) 220-3806
"Greg Stigers"
<gregstigers@s
pamcop.net> To
Sent by: "Greg [log in to unmask],
Stigers" [log in to unmask]
<gregstigers@g cc
mail.com>
Subject
Re: passwords
02/08/2006
04:07 PM
Please respond
to
"Greg Stigers"
<gregstigers@s
pamcop.net>
|------------|
| [ ] Secure |
| E-mail |
|------------|
> Better answer: No time difference because your system should lock any
> and all accesses out after no more than 3 missed authentication attempts
> and should alert your pager via the method of your choice if your
> threshold
> for failed attempts by bad user name is exceeded.
Doesn't this leave one vulnerable to a DOS attack? Or does the lock expire
after some not-unreasonable interval? Something to long to make even a scan
of a large number of users practical, but not too long to expect a user to
make himself or herself useful without logging on.
Greg Stigers
=============================================================================
IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.
=============================================================================
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
|
|
