[Foundation-l] Password security notes

Steve Sanbeg ssanbeg at ask.com
Mon May 7 22:27:11 UTC 2007


On Mon, 07 May 2007 16:19:28 -0600, Jeff V. Merkey wrote:


> What you should do here is after three failed attempts **CHANGE** the 
> password and email the new password
> to the affected account. Otherwise, the account is locked up. It will 
> require people enter a valid email address, but oh well.
> 
> Jeff

DOS and spam seems like adding insult to injury.  I'd expect lot of
complaints from the poor users who's passwords change hourly.

Slowing down the response rate based on the number of requests seems less
painful.






More information about the foundation-l mailing list