[Zope-PTK] Re[2]: [Zope-PTK] Re: Proposal: password policy change

[Bill Anderson]

Vlad Gerasimov wrote:
> 
> BA> One Solution:
> BA>  The password change can only be activated
> BA>  once per day. Now it takes 1,000,000 days
> BA>  for the HI to try his attack.
> 
> Other Solution:
> Unique (random) URL for every attmept.

Easy counter:
Grep for whatever you put in the link's text, such as "Request new password", and submit to that link.

At least by blocking attempts (and loggin the IP of the request, btw) to a given time interval, such as 12 or 24 hours,
you dramatically reduce the threat of mail bombs, and the attack described earlier.

All a random link does is add more complexity than is necessary. After all, it would all be just weak camoflage over the
same page. Wouldn't take much to figure that out either. And it only takes one time for someone to do it, and the
technique spreads like false rumours. Limiting the time is a much simpler mehtod, and  much easier to implement. Heck, I
could even put it into 1.0 with minor work (Add property 'last_passchange_request', make it a datetime instance, and
check for passage of time when a new request is made.)

Bill

(BTW, no need to cc me, I am on the list ;^) )


--
Do not meddle in the affairs of sysadmins, for they are easy to annoy,
and have the root password.