Password Guessing (was Re: /etc/failures)

[Michael Van Pelt]

My favorite idea for a password-guesser trap is to set a flag after 
<x> bad attempts, where <x> is about 10 or so.  Then, login will stop
checking the password, it will just echo "bad login /n login:" as
if it was a bad password.  The cracker gets no notification that he's
no longer going to know if he gets the password correct.  If the
user hangs up and calls back, the flag is reset, and he gets another
<x> cracks at it.  There should be some notification mechanism to go
with this.

This has another advantage, in that the system is doing a cheap
sleep(3) instead of an expensive password encrypt when a cracker is
banging on the line.

AT&T System V.3 has the nifty feature that you wait 30 seconds after
a bad password before the login: prompt comes back.  That's a pain
when you miskey the password, but it would be much worse for someone
trying to brute-force guess.
-- 
Mike Van Pelt                       When the fog came in on little cat feet
Video 7                             last night, it left these little muddy
...ames!vsi1!v7fs1!mvp              paw prints on the hood of my car.