[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: login sleeps too long on incorrect logins...

To: "Denis A. Doroshenko" <d.doroshenko@omnitel.net>
Subject: Re: login sleeps too long on incorrect logins...
From: Daniel Grunblatt <daniel@grunblatt.com.ar>
Date: Mon, 4 Jun 2001 12:00:05 -0300 (ART)
Cc: tech@openbsd.org

Ok, you are right about that, but I think that at least 1 second would be
ok anyway just to delay the brute force attack, so I suggest adding a
random time like (1..3) - _the time that crypt took_ only if crypt took
less than 1 second.

On Mon, 4 Jun 2001, Denis A. Doroshenko wrote:

> so what? it's random in range 1..3 seconds. but at the same time
> crypt(3) takes less than 0.2 seconds. so login on wrong usernames login
> sleeps for 5 times more than on good usernames. that's the thing to
> consider. if you talk about delaying agains brute force login does it no
> matter good or bad username is.
> 
> On Mon, Jun 04, 2001 at 11:11:34AM -0300, Daniel Grunblatt wrote:
> > No pal, it's a random time.
> > 
> 
> -- 
> Denis A. Doroshenko  [GPRS/IN/WAP, VAS group engineer] .-.        _|_  |
> [Omnitel Ltd., T.Sevcenkos st. 25, Vilnius, Lithuania] | | _ _  _ .| _ |
> [Phone: +370 9863486 E-mail: d.doroshenko@omnitel.net] |_|| | || |||(/_|_

References:
- Re: login sleeps too long on incorrect logins...
  - From: "Denis A. Doroshenko" <d.doroshenko@omnitel.net>

Prev by Date: Re: Network configuration
Next by Date: Direct I/O port access (x86)
Prev by thread: Re: login sleeps too long on incorrect logins...
Next by thread: Direct I/O port access (x86)
Index(es):
- Date
- Thread