Re: "too many auth failures"?

To: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Subject: Re: "too many auth failures"?
From: Nicolas Williams <Nicolas.Williams%oracle.com@localhost>
Date: Wed, 27 Oct 2010 14:18:39 -0500

On Wed, Oct 27, 2010 at 10:15:12AM -0400, der Mouse wrote:
> >> My view is that servers should have two failure counters: one for
> >> password and keyboard-interactive, another one for all others.
> > Yeah, I'd thought about that too, but where do you stop?  Which
> > counter type would a ZKP use?  Or EKE?  Or IBE?
> 
> The "all others".
> 
> Think about the point of those failure counters: they're designed to
> slow down password-guessing attacks.  publickey, ZKP, etc, don't have
> anything like password-guessing risks, so it's arguably inappropriate
> to do failure counters for them.

EKE is password-based, therefore it has a password-guessing problem.  I
assume ZKP here means zero-knowledge proof, and if it's a proof of a
password, then that too falls into the password-based method list that
should be subject to a small retry counter.

Nico
--

References:
- Re: "too many auth failures"?
  - From: Peter Gutmann
- Re: "too many auth failures"?
  - From: der Mouse

Prev by Date: Re: "too many auth failures"?
Next by Date: Re: "too many auth failures"?
Previous by Thread: Re: "too many auth failures"?
Next by Thread: Re: "too many auth failures"?
Indexes:

Home | Main Index | Thread Index | Old Index