• The Penguin (unregistered) in reply to boog
    boog:
    Dazed:
    boog:
    To answer your first question: longer passwords result in more calls to the helpdesk to reset passwords that users forgot or mistyped more than 3 times.
    The limit of 3 attempts is a WTF itself. It was probably reasonable in the days when people had to remember one password of five or six characters. If you are going to enforce long passwords and make people change them as well, then you should allow 6 attempts at least.
    Can't agree more that locking accounts after 3 failed attempts is a WTF. I've been saying it for years, but my bank still won't listen to me.

    I've heard a great alternative to locking passwords after the "maximum attempts" is to put delays on that account. After n failed attempts, the next n tries each take 10 seconds to submit, then the next n tries each take 30 seconds to submit, after that it takes 1 minute to submit every time.

    Brute force attacks take a lot longer to search the password space, making them virtually useless.

    I've heard that you're a lazy-ass IT manager that gets tired of resetting passwords forgotten due to you're insanely retarded password requirements.

  • (cs) in reply to Anne
    Anne:
    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?
    It's because of people like me who prefer to have a 2GB password (just to be extra secure) which brings the server to its knees.
  • David Martensson (unregistered)

    Well, if the office space is secure in it self and the place to login to is a publicly reachable site, a complex password on a post-it can be better than a easily remembered and possibly easily guessed or brute forced.

    At least as long as you do not protect your self against co-workers.

  • (cs)

    I once worked at a company whose password policy, as best I remember it, was:

    • Minimum 10 characters, maximum 24.
    • Must contain at least one each of capital letters, lowercase letters, numbers, punctuation marks.
    • Passwords expire every 45 calendar days.
    • No password may contain a substring that is a valid entry in the system's English lookup dictionary.
    • No password may contain any of an enumerated (but not publicly announced) list of prohibited substrings.
    • No password may repeat any character-position pair that was used in any of your 16 previous passwords.

    The dictionary lookup was very thorough. Too thorough. As a result, no password could contain (in either case) the letters A or I, since those were, of course, in the lookup dictionary. I rapidly concluded that vowels simply weren't worth my time. Although passwords were case sensitive (and had required mixed-case), the dictionary check was NOT -- so no thinking that "dUmB" was a valid substring.

    The secret substring blacklist wasn't any better. As far as I could ever determine, it included every alphabetically ordered three letter series, regardless of case (so no "FGH" or "PQR") and every three letter numerical series (no "123" or "789"). Also, sometimes, passwords would fail even if they should have been valid, so the blacklist clearly had some other nonsense on it.

    Probably already at Security by Post-It levels, the character-position non-reuse rule is what made it a likely violation of the Geneva Convention (with the 45 day expiration timer not helping at all). The story was that originally there was a standard "cannot repeat previous passwords" rule, but the security psychos realized people were just iterating a number at the end of their password. They concluded that was a security risk, because ninja death hackers would be smart enough to conclude that any compromised password was part of a sequence and thus obtain the current password, wreaking havoc and ending civilization. Their solution is just as horrid as it sounds. If you had a password with R as the second character, then for the next 16 passwords, the second character couldn't be R. Every character had to be novel, every time.

    The character-position system was also buggy. It was fine with passwords that were less than the maximum length ... sort of. If you always used a constant password length, you never saw the bug. But if you ever once created a password longer than your longest previous password, that became your new minimum length, because the matching code was clearly a WTF all by itself.

    And finally, note that the system wouldn't tell you why a password request failed (after the 5-10 minute "testing password" phase), just that it was invalid due a "Rules Exception". Had you stumbled on some secret blacklisted character sequence? Had you accidentally repeated the 14th character of the password you used 9 months ago? Did you discover some Welsh-originated horror lurking in the lookup dictionary ("cwm", for example; it was a pretty good dictionary)? No way to know! Just pound on the keyboard like a monkey and try again!

  • BentFranklin (unregistered)

    I hate it when I see password rules say no words in the dictionary, but they don't rule out the common leet substitutions. I assume a dictionary attacker would have all those in their attack, eg, "d[i1]c[t7][i1][o0]n[a@]ry". Why don't any of those spiffy password creations guidelines ever mention that?

  • jimicus (unregistered) in reply to Anne

    Believe it or not, there are reasons to enforce a particular password length. Or, more accurately, there have been in the past.

    Earlier versions of Windows (particularly in the days before NTLM) split the password into two hashes each containing 7 characters - meaning you couldn't have a password with more than 14 characters. (You were also ill-advised to have too few characters in either half - so the optimum password would be either 7 or 14 characters long).

    I wouldn't be too surprised if similar eccentricities have existed in all sorts of password hashing algorithms in popular use over the years - I'd guess that some manager in the dim and distant past invented this rule because it seemed to make sense at the time, and it's never been reviewed since.

    The rest of those rules are just absurd. If anyone is in a position to try out a dictionary attack (and if your systems are susceptible to such an attack, you have far bigger issues than password regulation), you're essentially saying to them "Okay, that dictionary you're going to use for your attack? You can rule out many of the possible passwords because they don't meet the rules."

  • socknet (unregistered) in reply to trtrwtf
    trtrwtf:
    Speaking of such things, is there any real reason to suppose that changing passwords every N days increases security? Wouldn't it make more sense to just require a sufficiently complex and long password and leave it at that? I think just about anyone could memorize a truly random 14-character password if they had to type it every day, but if you have to change it once a month then you have to come up with algorithms for generating "unguessable" passwords. These include things like regular substitutions, which become well known (ie, @ for a, 1 for i or l, and so forth), and the purpose is successfully defeated.

    The primary reason for passwords regularly isn't to try and make it more difficult to crack (i.e. to change it halfway through someone's brute force), it is so that if the password is cracked, the problem will only exist until the next reset.

    Resetting a password regularly without sufficient complexity is of limited use, as is having a complex password with no resets

  • James Q. Muphry (unregistered) in reply to boog
    boog:
    Anne:
    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?
    It's because of people like me who prefer to have a 2GB password (just to be extra secure) which brings the server to its knees.
    You really are a moron, aren't you? Any length password will be stored in a hash which will ALWAYS BE THE SAME.

    Plus, you'll just want to store your password in plain-text on the hard-drive, and HTH are you going to access it?

  • Anon (unregistered) in reply to Mark
    Mark:
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks, and may not contain your user name or any part of your full name.

    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)

    Then I realized it must mean contains 3 or 4 uppercase, 3 or 4 lowercase, 3 or 4 digits and 3 or 4 punctuation. Of course to follow that rule, your password must be at least 12 characters, so the "must be at least 6 characters" is redundant. Also the punctuation part is difficult when they've already explicitly forbidden several marks.

    Or, more likely, they mean you must use at least 3 of the 4 character classes (uppercase, lowercase, digits, punctuation)

    I have no idea what kind of warped mind comes to that conclusion from that rule as written.

  • trtrwtf (unregistered) in reply to socknet
    socknet:
    The primary reason for passwords regularly isn't to try and make it more difficult to crack (i.e. to change it halfway through someone's brute force), it is so that if the password is cracked, the problem will only exist until the next reset.

    That's my question - does a cracker return to a cracked password? Or do they just do their thing and go?

    Serious question, I really don't know much about typical cracker behavior (insert white people joke here). My naive supposition would be that you would assume a cracked password would be detected, and to return to it would be setting yourself up, but maybe that's not the case.

    Any leet warez verdorz here want to clue me in?

  • JoC (unregistered) in reply to dogbrags

    Gee, the valid solution set might be smaller than the invalid.

  • Anon (unregistered)

    Ah, I see TRWTF, they should have also asked users the security question of "what's your favorite book". That way users could automatically reset their passwords if they forget them.

    Fixed!

  • (cs) in reply to James Q. Muphry
    James Q. Muphry:
    boog:
    Anne:
    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?
    It's because of people like me who prefer to have a 2GB password (just to be extra secure) which brings the server to its knees.
    You really are a moron, aren't you? Any length password will be stored in a hash which will ALWAYS BE THE SAME.
    Bullshit; hashed passwords always vary in length. It's the amount of upload time, memory usage, and hash computations that stay consistent regardless of input size.

    Or in other words, Muphry right back at ya buddy.

  • Tony (unregistered)

    Ok, The set of rules suggests that the password is stored in clear/plain text and/or the SQL is not guarded against sql injections.

    captcha: decet. How nice. :)

  • (cs) in reply to boog
    boog:
    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.

    Clearly you are unfamiliar with the following option which has been available to OpenVMS system managers for the last 15 or 20 years:

        MCR AUTHORIZE MODIFY /FLAGS=GENPWD /PWDLIFETIME="30-" JSMITH
    From that instant on, John Smith is required to change his password every thirty days, and each time he is presented with a list of five choices from which he *must* choose. An actual example of a list he would see is
        cehokbej
        eajhaumda
        vufholid
        elfnawwra
        nacseavwoa
  • James Q. Muphry (unregistered) in reply to boog
    boog:
    James Q. Muphry:
    boog:
    Anne:
    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?
    It's because of people like me who prefer to have a 2GB password (just to be extra secure) which brings the server to its knees.
    You really are a moron, aren't you? Any length password will be stored in a hash which will ALWAYS BE THE SAME.
    Bullshit; hashed passwords always vary in length. It's the amount of upload time, memory usage, and hash computations that stay consistent regardless of input size.

    Or in other words, Muphry right back at ya buddy.

    Good god, I didn't even consider the fact you were trolling.

  • abcdefg? (unregistered) in reply to trtrwtf
    trtrwtf:
    I think just about anyone could memorize a truly random 14-character password if they had to type it every day
    Exactly this. When I came up with my original password I just bashed on the keyboard until like 12 chars appeared, replaced a few characters. sure took me a month or two to memorize, but once I did, i always remembered it, and was secure because it truly was a random password and didn't mean anything.. But if I was changing it every 2 months I would never remember it.
  • Naresh Kookaburra (unregistered) in reply to boog
    boog:
    James Q. Muphry:
    boog:
    Anne:
    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?
    It's because of people like me who prefer to have a 2GB password (just to be extra secure) which brings the server to its knees.
    You really are a moron, aren't you? Any length password will be stored in a hash which will ALWAYS BE THE SAME.
    Bullshit; hashed passwords always vary in length. It's the amount of upload time, memory usage, and hash computations that stay consistent regardless of input size.

    Or in other words, Muphry right back at ya buddy.

    Really boog, you could at least make it challenging.

  • Rob (unregistered)

    Eh...

    I'd take a sheet of paper over Lastpass or PasswordSafe any day

  • (cs) in reply to dpm
    dpm:
    boog:
    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.

    Clearly you are unfamiliar with the following option which has been available to OpenVMS system managers for the last 15 or 20 years:

        MCR AUTHORIZE MODIFY /FLAGS=GENPWD /PWDLIFETIME="30-" JSMITH
    From that instant on, John Smith is required to change his password every thirty days, and each time he is presented with a list of five choices from which he *must* choose. An actual example of a list he would see is
        cehokbej
        eajhaumda
        vufholid
        elfnawwra
        nacseavwoa

    I was unfamiliar, but I'm not convinced it was so clearly. The only thing in common between your example and my above suggestion was "choosing a password from a list", which was arguably the least-WTFy aspect of my above suggestion.

  • (cs) in reply to James Q. Muphry
    James Q. Muphry:
    Good god, I didn't even consider the fact you were trolling.
    On this site? TRWTF is not assuming the person you're talking to is a troll.
  • (cs) in reply to frits
    frits:
    We had a similar policy that was implemented at a former employer of mine. Actually, it was more asinine. The original policy madated passwords be 7 characters long, but changed every 3 months. The CFO didn't like changing his password so often. A compromise was struck and users only had to change passwords every 3 months. However, all passwords must be at least 14 characters long. It all made sense, since 6/3 = 14/7...

    The result, of course was most users had their passwords written somewhere within 2 feet (61 cm.) of their computers. Our director of IT decided to have a crackdown and started threatening to make examples of people who wrote down their passwords. The IT director wasn't a total ogre, however, and actually had a pragmatic workaround: anyone who had trouble remembering the long passwords should just use their old 7 character password typed twice.

    I've long promoted the notion that the secret to securing any system is to eliminate its users.
  • (cs) in reply to boog
    boog:
    dpm:
    boog:
    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.

    (example of being forced to chooose from a list)
    I was unfamiliar, but I'm not convinced it was so clearly. The only thing in common between your example and my above suggestion was "choosing a password from a list", which was arguably the least-WTFy aspect of my above suggestion.
    You predicted it would happen within ten years, but it already happened twice that far back in the past.

  • (cs) in reply to dogbrags
    dogbrags:
    Adding exclamation marks to the end of each requirement makes them much more exciting than normal requirements. [Must not contain your username!]

    That isn't exclamation. That's logical NOT! It's like a 12 yr old telling you something as if it's gospel then immediately saying "PSYCH"

    So... [Must not contain your username... psyche(exclamation)]

  • (cs) in reply to Naresh Kookaburra
    Naresh Kookaburra:
    Really boog, you could at least make it challenging.
    Why would I do that? As easy as I'm making it for you, you're still failing miserably.
  • (cs) in reply to dpm
    dpm:
    boog:
    dpm:
    boog:
    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.

    (example of being forced to chooose from a list)
    I was unfamiliar, but I'm not convinced it was so clearly. The only thing in common between your example and my above suggestion was "choosing a password from a list", which was arguably the least-WTFy aspect of my above suggestion.
    You predicted it would happen within ten years, but it already happened twice that far back in the past.
    What did I predict exactly?

  • (cs) in reply to WthyrBendragon
    WthyrBendragon:
    dogbrags:
    Adding exclamation marks to the end of each requirement makes them much more exciting than normal requirements. [Must not contain your username!]

    That isn't exclamation. That's comedic NOT! It's like a 12 yr old telling you something as if it's gospel then immediately saying "NOT"

    So... [Must not contain your username... NOT(exclamation)]

    FTFY

  • Zaratustra (unregistered)

    ABCabc123. Are we secure yet?

  • Mike (unregistered)

    Jam of the day - code to generate a password per the rules.

  • trtrwtf (unregistered) in reply to dpm
    dpm:
    An actual example of a list he would see is
        cehokbej
        eajhaumda
        vufholid
        elfnawwra
        nacseavwoa

    Make those a little more random (ie, include some digits, capitals, and punctuation) and you'd actually have something reasonable.

    TRWTF is expecting users to come up with something that meets security requirements and also seems memorable to them. Just give them a few options that meet security requirements, and let them regenerate the list until they see something they can work with. Humans are pretty good at recognizing "patterns" in random input, and computers are pretty good at giving humans random input to recognize patterns in. Why not play to the strengths of both?

  • Ken B. (unregistered) in reply to Anne
    Anne:
    A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?
    UserPasswordPlaintext as varchar(12);
    Duh!
  • (cs) in reply to Zaratustra

    ABC, easy as 123, It's like counting up to 3, Or simple as !@#

  • Ken B. (unregistered) in reply to trtrwtf
    boog:
    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.

    I was going to suggest "goodpasswords dot com", which SamSpade shows as a blank webpage. Unfortunately, IE shows it as an advertising page.

    trtrwtf:
    Don't forget this one: your password can't contain any sequence of 3 adjacent letters on a qwerty keyboard. No asdf, no zxc.
    And "adjacent" includes the rows above and below, and order doesn't matter. (No "oki", "xfd", "tvf", etc.)
  • (cs) in reply to Ken B.
    Ken B.:
    boog:
    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.

    I was going to suggest "goodpasswords dot com"...

    Would that be a website listing "good passwords", or a form where users can submit their passwords and it will tell them how "good" the passwords are?

    Either way, sounds like a great idea.

  • C-Octothorpe (unregistered) in reply to hoodaticus
    hoodaticus:
    frits:
    We had a similar policy that was implemented at a former employer of mine. Actually, it was more asinine. The original policy madated passwords be 7 characters long, but changed every 3 months. The CFO didn't like changing his password so often. A compromise was struck and users only had to change passwords every 3 months. However, all passwords must be at least 14 characters long. It all made sense, since 6/3 = 14/7...

    The result, of course was most users had their passwords written somewhere within 2 feet (61 cm.) of their computers. Our director of IT decided to have a crackdown and started threatening to make examples of people who wrote down their passwords. The IT director wasn't a total ogre, however, and actually had a pragmatic workaround: anyone who had trouble remembering the long passwords should just use their old 7 character password typed twice.

    I've long promoted the notion that the secret to securing any system is to eliminate its users.

    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?

  • (cs) in reply to C-Octothorpe
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.
    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?

    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.

  • socknet (unregistered) in reply to trtrwtf
    trtrwtf:
    socknet:
    The primary reason for passwords regularly isn't to try and make it more difficult to crack (i.e. to change it halfway through someone's brute force), it is so that if the password is cracked, the problem will only exist until the next reset.

    That's my question - does a cracker return to a cracked password? Or do they just do their thing and go?

    Serious question, I really don't know much about typical cracker behavior (insert white people joke here). My naive supposition would be that you would assume a cracked password would be detected, and to return to it would be setting yourself up, but maybe that's not the case.

    Any leet warez verdorz here want to clue me in?

    That would depend entirely on the system which the password applies for.

    If it was a bank account, then perhaps the hacker would drain the account and not come back.

    If it was for membership to an adult website, maybe they would go back frequently.

    etc

  • C-Octothorpe (unregistered) in reply to boog
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.
    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?

    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.

    You work with hoodaticus too?!

  • C-Octothorpe (unregistered) in reply to C-Octothorpe
    C-Octothorpe:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.
    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?

    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.

    You work with hoodaticus too?!

    Around here, we just call him the "chair sniffer"...

  • E (unregistered)

    Actually I think this scheme would accept most of my passwords.

    Unless their dictionary has incredibly obscure words I don't know of in it.

  • Anachronda (unregistered) in reply to Dazed
    Dazed:
    boog:
    To answer your first question: longer passwords result in more calls to the helpdesk to reset passwords that users forgot or mistyped more than 3 times.
    The limit of 3 attempts is a WTF itself. It was probably reasonable in the days when people had to remember one password of five or six characters. If you are going to enforce long passwords and make people change them as well, then you should allow 6 attempts at least.
    I keep waiting for someone to decide that not having occasional missed attempts implies that your password is insufficiently complex and needs to be changed.
  • ih8u (unregistered) in reply to Mike
    Mike:
    Jam of the day - code to generate a password per the rules.

    That's really a great idea. In fact, I'd like to see the code they actually used to verify the correectness of candidate passwords.

    Not that I'd bet there are loads of bugs that allow all sorts of "insecure" passwords. I'm sure they implemented teh codez with l33t accuracy.

  • C-Octothorpe (unregistered) in reply to ih8u
    ih8u:
    Mike:
    Jam of the day - code to generate a password per the rules.

    That's really a great idea. In fact, I'd like to see the code they actually used to verify the correectness of candidate passwords.

    Not that I'd bet there are loads of bugs that allow all sorts of "insecure" passwords. I'm sure they implemented teh codez with l33t accuracy.

    Probably copy-pasted from the shit-pile called Akismet...

  • forgottenlord (unregistered)

    Huh, if it weren't for that 12 character limit, one of my main passwords would work perfectly for this.

  • (cs) in reply to Anne
    Anne:
    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?
    Depending upon the way the password is stored, there is a maximum length beyond which any more data input is superfluous, and allowing it can give a false sense of security. For instance, using the original Unix crypt function, the password "HELLOWORLD" would work the same as "HELLOWOR", because it only supports passwords up to 8 characters. LM hash only supported up to 14 characters, and bcrypt only supports up to 55 characters (though if you have a password longer than 55 characters, you might be overdoing it a little).

    Of course, the biggest reason of all is probably because software uses no hashing method at all and simply stores the password in plaintext in a fixed-length column in their database.

  • Ol' Bob (unregistered) in reply to DCRoss
    DCRoss:
    andres:
    The can still do better:

    http://www.dilbert.com/strips/comic/2005-09-10/

    Or even http://www.dilbert.com/fast/2011-04-28/.

    But that would be spamming, so I'm going to complain a bit here.

    But even better there's

    http://dilbert.com/strips/comic/1998-04-06/

    Squeal like a pig... :-)

  • (cs) in reply to Anon
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks, and may not contain your user name or any part of your full name.
    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)

    Then I realized it must mean contains 3 or 4 uppercase, 3 or 4 lowercase, 3 or 4 digits and 3 or 4 punctuation. Of course to follow that rule, your password must be at least 12 characters, so the "must be at least 6 characters" is redundant. Also the punctuation part is difficult when they've already explicitly forbidden several marks.

    It looks like something taken from the GRE's defunct analytical section ;)

  • (cs) in reply to C-Octothorpe
    C-Octothorpe:
    boog:
    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    You work with hoodaticus too?!
    Not for much longer. That guy gives me the heebie-jeebies.
  • Gary (unregistered)

    These intrigue me

    • not contain a dictionary word!
    • not contain an exact dictionary word match!
    

    That rules out at minimum any of the vowels A, I and O. If you can't include two-letter combinations either am, do, em, en, go, he, etc., then we are going to have a really small set of possible pwds.

  • (cs) in reply to dpm
    dpm:
    boog:
    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.

    Clearly you are unfamiliar with the following option which has been available to OpenVMS system managers for the last 15 or 20 years:

        MCR AUTHORIZE MODIFY /FLAGS=GENPWD /PWDLIFETIME="30-" JSMITH
    From that instant on, John Smith is required to change his password every thirty days, and each time he is presented with a list of five choices from which he *must* choose. An actual example of a list he would see is
        cehokbej
        eajhaumda
        vufholid
        elfnawwra
        nacseavwoa

    To compensate for BOFH-ish features like that (fortunately, options), at least VMS has a non-stupid intrusion system. A counter keeps track of failed logons, based on a configurable interval, so that three failed logons today and three tomorrow aren't treated the same as six within a minute. Even better, instead of locking out accounts like Windows (although that is still an option), the remote host is blocked. This prevents most DOS situations.

Leave a comment on “Security by Post-It”

Log In or post as a guest

Replying to comment #:

« Return to Article