Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/18/84; site duts.UUCP
Path: utzoo!decvax!decwrl!amdcad!amdahl!duts!mnh
From: mnh@duts.UUCP (Mark Haynie)
Newsgroups: net.crypt
Subject: Re: foiling password crackers
Message-ID: <210@duts.UUCP>
Date: Tue, 18-Feb-86 19:51:08 EST
Article-I.D.: duts.210
Posted: Tue Feb 18 19:51:08 1986
Date-Received: Wed, 19-Feb-86 21:53:31 EST
References: <974@decwrl.DEC.COM> <262@birtch.UUCP>
Distribution: na
Organization: Amdahl Corp, Sunnyvale CA
Lines: 22

> In article <974@decwrl.DEC.COM> moroney@jon.DEC (Mike Moroney) writes:
> >
> > 
> >>We have all heard of losers who try to break into systems by calling
> >>up, and trying to log in by exhaustively trying groups of possible
> >>passwords.  Some login programs hang up the phone after a number of
> >>attempts.  A simple refinement which I've never heard mentioned would
> >>be to have the login program simply disable the ability to log in
> >>successfully after a number of attempts, without notifying the user.
> >>This would let the unsuspecting loser keep trying to log into your
> >>system while you had plenty of time to trace his phone line without
> >>your having to worry about his gaining entry to your system.

Some MVS systems do exactly that! After 12 login attempts your ID is
disabled.  Since MVS systems tell you when you have invalid user-ids
before you enter the password, you can write a program which will
find all the user ids on a system and then quickly turn them off.
Manual interventions is required to turn ids back on -- requiring
several hours for all ids of a corporation.  Shutting down a
computer center in this way is about as bad as breaking into one.

            -- mark haynie