new password idea

[Mitch Wright]

/* 
 * On 25 Apr 91 00:03:23 GMT, 
 * bennett at mp.cs.niu.edu (Scott Bennett) said:
 * 
 */ 

Scott> another useful feature:  after a certain number of bad passwords are
Scott> given consecutively for a logonid, the logonid is suspended.  No
Scott> further access is allowed for that logonid until [...]

Steve> Yup -- it's a great way to lock out the system administrators when
Steve> you're ready to do some serious monkey business.  Or you can lock out
Steve> anyone else you don't like.  This is known as a denial-of-service
Steve> attack.

Scott> [...]  In our shop, we have taken the view that denial is better than
Scott> unauthorized access because denial of access leaves everything intact,
Scott> whereas that cannot be guaranteed in the case of unauthorized access.
Scott> Lockout of systems programmers has not been a problem.

It can *not* be guaranteed in *either* case.  If I manage to break into your
system and lock out everyone but the account I'm using, YOU are being denied
service... not me.

Scott> Even if someone succeeded in doing that to all of the privileged
Scott> logonids that our group uses, we would still have other ways to get
Scott> back in, but those ways all require being in the computer room, which
Scott> is a secured area.

Yeah, so.  "rm -rf /" doesn't take much time to do sufficient damage.  Not to
even mention that you wouldn't be heading to the computer room until the
intruder is detected.  And what about the intruder that is on your system
at 3am?

--
  ~mitch
_______________________________________________________________________________

   mitch at hq.af.mil (Mitch Wright) | The Pentagon, 1B1046 | (703) 695-0262
_______________________________________________________________________________