[Foundation-l] Password security notes
ssanbeg at ask.com
Mon May 7 22:27:11 UTC 2007
On Mon, 07 May 2007 16:19:28 -0600, Jeff V. Merkey wrote:
> What you should do here is after three failed attempts **CHANGE** the
> password and email the new password
> to the affected account. Otherwise, the account is locked up. It will
> require people enter a valid email address, but oh well.
DOS and spam seems like adding insult to injury. I'd expect lot of
complaints from the poor users who's passwords change hourly.
Slowing down the response rate based on the number of requests seems less
More information about the foundation-l