X-no-Archive:yes
Here's a question that came up. About systems that lock an id out
indefinitely after n failed log in attempts. Isn't that regarded as making
said system vulnerable to a denial of service attack? Especially on a system
that distinguishes between a failed logon due to an incorrect password, and
a failed logon due to an invalid user name?
I should probably look at what the IETF working groups have to say about
this one. But if anyone already knows, I would be fascinated to hear what
they have to say.
Greg Stigers
http://www.cgiusa.com