more secure login
trt at rti-sel.UUCP
trt at rti-sel.UUCP
Fri Jul 13 09:40:27 AEST 1984
If your phone lines are so bad that more than three login attempts
are needed, I shudder at the carnage that must ensue
once you do get logged in!
I suppose Phil Ngai/Larry Tepper could check for apparently trashed input
and not count such against you.
That is better than weakening their login security,
which is after all the last chance to keep some random
from logging into the system and becoming superuser.
Some other security details that should be considered:
* Beware of giving out the external password over the phone!
* It would be nice to permit the "old" external password (with a warning),
so it can be changed regularly without causing too much grief.
* Failed-attempt logging should probably be implemented by Someone Else.
Naive logging might result in someone's password being
published as an "invalid login name".
Sophisticated logging can be worse, because if something awful happens
and it was logged and you overlooked it ... bye bye system administrator.
Tom Truscott
More information about the Comp.unix.wizards
mailing list