Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 ggr 10/10/85; site bentley.UUCP
Path: utzoo!watmath!clyde!cbosgd!ihnp4!bentley!kwh
From: kwh@bentley.UUCP (KW Heuer)
Newsgroups: net.crypt
Subject: Re: foiling password crackers
Message-ID: <588@bentley.UUCP>
Date: Mon, 10-Feb-86 17:56:13 EST
Article-I.D.: bentley.588
Posted: Mon Feb 10 17:56:13 1986
Date-Received: Wed, 12-Feb-86 06:23:50 EST
References: <100900001@haddock.UUCP>
Organization: AT&T Bell Laboratories, Liberty Corner
Lines: 16

In <100900001@haddock.UUCP> haddock!trb (Andrew Tannenbaum) writes:
>           A simple refinement which I've never heard mentioned would
>be to have the login program simply disable the ability to log in
>successfully after a number of attempts, without notifying the user.
>This would let the unsuspecting loser keep trying to log into your
>system while you had plenty of time to trace his phone line ...

Trouble is, (a) no serious cracker will actually make guesses to the
login program.  (b) If he knows about this feature, the cracker can
turn it to his advantage by locking out all the administrators.
This was analyzed in, I think, the October 1984 issue of the
_AT&T_Technical_Journal_ (special UN*X issue); but I can't find
a copy to verify it.

Karl W. Z. Heuer
"The Walking Lint"