[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: D.O.S for NT bad for Unix
Quoting firstname.lastname@example.org (email@example.com):
> Almost unanimously, security standards for NT boxes suggest to
> configure an account lock after several unsuccessful login attempts.
> Searching the web in and out didn't show me anything similar for *nix
> based systems. Is this concept too alien to *nix to be implemented or
> should I - once again - question my research capabilities?
We had VAXen that had that turned on. At one site, it was
used for console management. You connect to it, it connects
you to your console.
Problem was that we needed consoles MAYBE every 6 months.
The passwords expired after 90 days. And if you mis-entered
3 times, you got locked out.
So it's 2AM, you're machine won't come back up, you go to
the console. What was that password I changed it to last time?
You forget, you get locked out.
I made it a habit, afterwards, to walk over to the machine of
the guy who set that policy. I'd log in as him 3 times with the
wrong password and walk away. He'd have to override it and
get reset his password.
I made my point.
The BEST PRACTICE is to use non-reusable passwords. DES tokens,
S/Key, SecureID, BioMetric (or perhaps a bio-device plus a PW
that unlocks your smartcard that has your certs on it.)