| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 Aug 2006 09:57:43 -0400 From: "Brendan Dolan-Gavitt" <mooyix@...il.com> To: "Renshaw, Rick (C.)" <rrenshaw@...d.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Secure OWA On 8/30/06, Renshaw, Rick (C.) <rrenshaw@...d.com> wrote: > > > -----Original Message----- > From: full-disclosure-bounces@...ts.grok.org.uk > [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Dude > VanWinkle > Sent: Saturday, August 26, 2006 2:30 PM > To: Adriel Desautels > Cc: full-disclosure@...ts.grok.org.uk > Subject: Re: [Full-disclosure] Secure OWA > > > The only real fault I know about is the fact that you can guess passwords > eternally without locking out user accounts. > > There's two sides to this risk. If you allow OWA logins to lock out > accounts, and your OWA page is available from anywhere on the Internet, you > are handing an easy DOS tool to anyone that knows the account names for > people on your server. > Perhaps. But a temporary lockout period would deter brute-force attempts while still making an attacker do some work to keep the accounts locked (eg, if you have a lockout of 5 minutes, brute forcing is no longer practical, but at the same time, if you want to DoS someone's account you have to keep coming back every 5 minutes. And that increases the risk you'll get caught.) -Brendan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists