Path: utzoo!utgpu!watmath!clyde!att!rutgers!apple!vsi1!v7fs1!mvp From: mvp@v7fs1.UUCP (Michael Van Pelt) Newsgroups: comp.unix.wizards Subject: Password Guessing (was Re: /etc/failures) Message-ID: <121@v7fs1.UUCP> Date: 2 Dec 88 19:15:56 GMT References: <407@uwslh.UUCP> Reply-To: mvp@v7fs1.UUCP (Michael Van Pelt) Organization: Video 7, Cupertino, CA Lines: 21 My favorite idea for a password-guesser trap is to set a flag afterbad attempts, where is about 10 or so. Then, login will stop checking the password, it will just echo "bad login /n login:" as if it was a bad password. The cracker gets no notification that he's no longer going to know if he gets the password correct. If the user hangs up and calls back, the flag is reset, and he gets another cracks at it. There should be some notification mechanism to go with this. This has another advantage, in that the system is doing a cheap sleep(3) instead of an expensive password encrypt when a cracker is banging on the line. AT&T System V.3 has the nifty feature that you wait 30 seconds after a bad password before the login: prompt comes back. That's a pain when you miskey the password, but it would be much worse for someone trying to brute-force guess. -- Mike Van Pelt When the fog came in on little cat feet Video 7 last night, it left these little muddy ...ames!vsi1!v7fs1!mvp paw prints on the hood of my car.