[Cryptography] NIST SP 800-63-3
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Aug 14 23:20:43 EDT 2017
Jerry Leichter <leichter at lrw.com> writes:
>I've always liked the VMS approach - dating back to the 1980's: After some
>threshold of incorrect attempts within a defined period (say, 5 within 2
>minutes) is reached, the account is put into "evasion mode" for a random
>period of time between (say, 2 to 10 minutes). In evasion mode, *all*
>passwords are rejected. As long as attempts to log in continue, evasion mode
>is extended. Once they stop, evasion mode times out and the correct password
>will work again. Yes, denial of service is possible - but the attack has to
>continue indefinitely.
A variant of this extends the evasion across all accounts, which is an
effective way to try and address the standard retry-count-defeating attack of
trying one password across many accounts rather than many passwords against
one account. Obviously this only works for a server that typically only has a
few logins per day for administrative purposes (dbas, sysadmins, etc), not
something with hundreds or thousands of users logging in and out all day long.
Peter.
More information about the cryptography
mailing list