Re: password complexity -- implementing security changes
- From: "Ethan Post" <post.ethan@xxxxxxxxx>
- To: shrekdba@xxxxxxxxx
- Date: Thu, 2 Mar 2006 16:37:07 -0600
Here is a "why do we do this" question.
Most of the policies I see concerning failed login attempts lock a
user our after a very limited number of attempts. It seems to me that
this feature is best at preventing dictionary attacks but when the
number of attempts is limited to say "3" it ends up simply locking out
a legitimate user who is trying to remember 1 of 10 passwords they
use. Would it be fair to say that this number should be much higher,
say 50? This way the user is never inconvenienced and a dictionary
attack will still likely blocked.
On 3/2/06, bill thater <shrekdba@xxxxxxxxx> wrote:
> On 3/2/06, J. Dex <cemail_219@xxxxxxxxxxx> wrote:
>
> > I am still not even sure if the application is going to prompt them after 90
> > days to change the password or they will just start getting locked out.
>
> mypast experience tells me that unless the application looks for that
> notice explicitly, it won't and they'll just end up locked out.
--
//www.freelists.org/webpage/oracle-l
Other related posts:
