Bogus "account hacked" message

Grant Taylor cctalk at gtaylor.tnetconsulting.net
Tue Jan 8 21:47:25 CST 2019


On 1/8/19 8:39 PM, Fred Cisin via cctalk wrote:
> 3 failures is not enough for some legitimate human failings.

There's a high chance for false positives there.

> I occasionally will forget a password, and make 4 or 5 tries; and then, 
> a few days later, remember it.

I wonder if it's three password attempts (likely in a single connection) 
or three failed connections.

I could see how three failed connections would suffice, as that would be 
nine password attempts.

> So, I MUCH prefer the concept of a logarithmically increasing lockout, 
> starting small. Maybe as little as a millisecond, to permit a REASONABLE 
> number of "maybe it was...", but thoroughly block brute force and 
> dictionary/list attempts.

I created a fancy IPTables rule set that used the recent match extension 
to dynamically (in kernel without any files on the drive) produce back 
out period.  I don't remember the exact count of things, or the timings. 
  But I do recall that it was something like 5 minutes, 30 minutes, 1 
hour, 1 day, 1 week, 1 month, 1 year.  I don't think I had permanent. 
(Maybe I did.  It's been 15+ years.)



-- 
Grant. . . .
unix || die


More information about the cctalk mailing list