Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!bloom-beacon!oberon!cit-vax!ucla-cs!zen!ucbvax!cbosgd!osu-cis!tut!lvc
From: lvc@tut.cis.ohio-state.edu (Lawrence V. Cipriani)
Newsgroups: comp.unix.wizards
Subject: Re: 60-second timeout in Unix login
Message-ID: <2167@tut.cis.ohio-state.edu>
Date: Mon, 23-Nov-87 21:13:00 EST
Article-I.D.: tut.2167
Posted: Mon Nov 23 21:13:00 1987
Date-Received: Fri, 27-Nov-87 02:02:46 EST
References: <4139@venera.isi.edu>
Organization: Ohio State Computer & Info Science
Lines: 29
Summary: login security hazards

In article <4139@venera.isi.edu>, cracraft@venera.isi.edu
	(Stuart Cracraft) writes:
> The 60-second timeout in Unix login is not long enough.
> 
> When accessing Unix via various networks or combinations
> of networks, particularly when either the remote machine
> or the local machine is heavily loaded, the 60-second
> timeout will consistently prevent login.
> 
> Has anyone else encountered this? Are there any others
> out there who would vote to increase the timeout from 60
> seconds to 180 seconds?
> 
> 
> 	Stuart

If you are going to increase the 60 second time limit you
should also limit the number of login attempts, (with 60
seconds and fast hands you can get about 15 attempts).

For example, login could kick you out after N attempts or M
seconds, whichever occurs first.  If you don't do something
like this, then you are giving a cracker more time to pound
on your system with password guesses, of course they can get
right back in so its not a great help.  To make this even better,
allow login only in the first N attempts, after that just keep
prompting but don't let them in.  Exit after M seconds too.

Does anyone have other suggestions for making login more secure?