Re: failed password tries...!!
jibi wilson wrote:
please help me......may some of you experts active in here can suggest
me a solution...
i've web site with front page asking username and password for
entry ...is there any way to know how many failed password attempts
have happened...what are the unauthorised username and password that
has been tried...?any website is there to provide this service for
free....? or should i use some complex programming to do this...?
Before you attempt to make a record of incorrect username
and password pairs, take a few moments to think through the
security implications. When an actual user provides incorrect
login information, chances are good that it was just a small
typo; the information provided is *almost* correct. Thus, a
log of the failed attempts is almost as good as a complete
copy of your credentials database; given the log, a cracker
could break into the accounts in just about no time at all.
Do you *really* want to maintain such a risky log? Do you
*really* want a third party to maintain it for you "for free?"
One error I myself make with embarrassing frequency is
to get "out of phase" with the prompts, entering my password
instead of my account name and vice versa. So, even a log
that records only the failed usernames but not the failed
passwords is not safe; a cracker observing that jwilson and
esosman and B##a29a^ and philton had all failed to log in
would have a pretty good idea about a possible password to
try against all the usernames on your system ...
--
Eric Sosman
esosman@ieee-dot-org.invalid