[IRCServices] auto suspension after invalid passwords
Andrew Kempe
andrewk at icon.co.za
Fri Mar 23 14:47:01 PST 2001
Imho, the feature has good intentions but isn't very robust. Let's look at
what it's trying to do:
- Prevent a user from brute forcing the nick's password.
What are we currently doing to prevent this:
- Kill the user after X invalid passwords. This allows opers to see who is
getting a password wrong _a lot_. They can then akill the person's host.
What is the current method lacking:
- If there are no active opers (ooops), then the user could get away with it
for a while. So basically a temp akill might surfice. Atleast it would make
it slightly harder for the user to brute force the nickname effectively.
Finally, the chances of someone brute forcing a nickname's password are
already small - seeing as we have a minimum password length. So, maybe this
extra security is unnecessary?
Andrew
----- Original Message -----
From: "Andrew Church" <achurch at achurch.org>
To: <ircservices at ircservices.za.net>
Sent: Friday, March 23, 2001 1:28 PM
Subject: Re: [IRCServices] auto suspension after invalid passwords
> >If this feature is enabled, a rogue user could suspend anyone's nick -
even
> >the services roots'. surely this is a bit of a problem? Comments?
>
> Hm, this is a good point. Suggestions (other than the obvious "don't
> automatically suspend nicks")?
>
> --Andrew Church
> achurch at achurch.org | New address - please note.
> http://achurch.org/ | �$B%a!<%k%"%I%l%9$,JQ$o$j$^$7$?!#�(B
>
> -----------------------------------------------------------
> To unsubscribe, mail ircservices-request at ircservices.za.net
> with the word UNSUBSCRIBE in the subject of the mail.
> http://www.ircservices.za.net/mailman/listinfo/ircservices
>