Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!linus!philabs!cmcl2!seismo!rochester!pt.cs.cmu.edu!a.sei.cmu.edu!tgl
From: tgl@a.sei.cmu.edu (Tom Lane)
Newsgroups: net.crypt
Subject: Re: foiling password crackers
Message-ID: <219@a.sei.cmu.edu>
Date: Thu, 20-Feb-86 22:21:31 EST
Article-I.D.: a.219
Posted: Thu Feb 20 22:21:31 1986
Date-Received: Mon, 24-Feb-86 05:01:25 EST
References: <100900001@haddock.UUCP>
Organization: Carnegie-Mellon University, CS/RI
Lines: 33

Quite a few people have objected to the concept of permanently
disabling logins to a particular account after seeing several
erroneous login attempts on that account.  I agree that that's
a bad idea, but when I read Tanenbaum's original post I thought
he meant something rather different, to wit:

After seeing more than N erroneous login attempts on a dialup
line, refuse to honor any further login attempts ON THAT LINE
until the connection is broken.

As far as I can see, this would have NO impact on the genuine owner
of the account, who could still log in any time he comes along.
Ditto for subsequent users of the same dialup line.

Naturally, to make this properly confusing the machine should still
appear to be considering further userid/password pairs; it should
simply always say "improper login" even if, by chance, a valid
combination is entered.  Then the attacker can have no certainty
that he has in fact performed an exhaustive search of the password
combinations: he might have tried the right one, but had it rejected
anyway.  (To make life harder, the precise value of N should
be unpublicized, and perhaps even randomly variable.  It's also
necessary not to say "improper login" more quickly after exceeding
N attempts than beforehand.)

With this plan, all the attacker accomplishes in the way of
denial-of-services is to tie up one dialup port, which he will probably
get tired of once he notices how his phone bill is mounting.

				tom lane
-----
ARPA: lane@{CMU-CS-A.ARPA|A.CS.CMU.EDU}
UUCP: ...!seismo!cmu-cs-a!lane