Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!ucbvax!ulysses!ulysses.att.com!smb
From: smb@ulysses.att.com (Steven Bellovin)
Newsgroups: comp.unix.wizards
Subject: Re: new password idea
Message-ID: <14655@ulysses.att.com>
Date: 24 Apr 91 17:06:45 GMT
References: <26616@adm.brl.mil> <1991Apr23.182654.22452@odin.corp.sgi.com> <1991Apr24.004539.3881@mp.cs.niu.edu>
Sender: netnews@ulysses.att.com
Lines: 13

In article <1991Apr24.004539.3881@mp.cs.niu.edu>, bennett@mp.cs.niu.edu (Scott Bennett) writes:
} 
}      On some of our non-UNIX systems we use a security package that has
} another useful feature:  after a certain number of bad passwords are
} given consecutively for a logonid, the logonid is suspended.  No
} further access is allowed for that logonid until someone with authority
} to reactivate it has become involved.  While this in itself offers
} an avenue for abuse

Yup -- it's a great way to lock out the system administrators when
you're ready to do some serious monkey business.  Or you can lock out
anyone else you don't like.  This is known as a denial-of-service
attack.