Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!mhuxr!mhuxt!houxm!whuxl!whuxlm!akgua!gatech!seismo!mcvax!enea!kuling!andersa
From: andersa@kuling.UUCP
Newsgroups: net.crypt
Subject: Re: foiling password crackers
Message-ID: <884@kuling.UUCP>
Date: Fri, 7-Feb-86 21:53:05 EST
Article-I.D.: kuling.884
Posted: Fri Feb  7 21:53:05 1986
Date-Received: Tue, 11-Feb-86 05:13:46 EST
References: <100900001@haddock.UUCP>
Reply-To: andersa@kuling.UUCP (Anders Andersson)
Organization: Uppsala University, Sweden
Lines: 20

In article <100900001@haddock.UUCP> trb@haddock.UUCP writes:
>passwords.  Some login programs hang up the phone after a number of
>attempts.  A simple refinement which I've never heard mentioned would
>be to have the login program simply disable the ability to log in
>successfully after a number of attempts, without notifying the user.
>This would let the unsuspecting loser keep trying to log into your
>system while you had plenty of time to trace his phone line without
>your having to worry about his gaining entry to your system.

This behaviour can be selected in version 6 of DECs not-to-be-continued
TOPS-20, which has been around for a while. After the user has provided
N invalid passwords within M minutes of real time, every password given
thereafter will be considered "invalid", until the job is logged out.
A message is also sent to the system console and to the error log file.
The time limit exists in order not to penalize weak typists after a few
hours of work, and both N and M are easily selected by the system manager.
-- 
Anders Andersson, Dept. of Computer Systems, Uppsala University, Sweden
Phone: +46 18 183170
UUCP: andersa@kuling.UUCP (...!{seismo,mcvax}!enea!kuling!andersa)