tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: passwd check from unpriliged programs (pkgsrc/pam-pwauth_suid)

On Wed, Jun 25, 2008 at 08:47:49PM +0200, Matthias Drochner wrote:
> The program can only be used to check the passwd of the
> user it was started as. Slowing it down would make it
> more complex, might even require some signal masking.

One simple idea is to just wait for e.g. 20 millisecond before trying to
validate the password the first time. It would still allow dictionary
attacks, but it isn't slow enough that a normal user will notice.


Home | Main Index | Thread Index | Old Index