[tpop3d-discuss] Patch to prevent brute force password cracking

Chris Lightfoot chris at ex-parrot.com
Wed, 16 Oct 2002 12:46:57 +0100

On Wed, Oct 16, 2002 at 01:35:16PM +0200, Yann GROSSEL wrote:
> - delayed error responses (at least during authentification), to
> prevent an attacker from doing brute force password cracking. That
> is, once an user has attempted a wrong APOP or USER/PASS command,
> the ERR answer doesn't come immediately, but only after a few seconds.
> I've done a quick (attached) patch that do the thing. I'd like to
> know what do you think about such a feature, and about my implementation ?

It seems sensible, and the implementation is fine. I'm
slightly reluctant to incorporate it as is, because one of
the things I'd like to do is to modify tpop3d to add
write-bufferring and make all I/O nonblocking. This will
make it easier to do TLS support nicely (yes, I know, this
has been on the to-do list for a while...); another
consequence is that freezing connections will work much
more naturally (since all responses will then be

Nevertheless, thanks for the patch; I'm sure that others
will find it useful in the interval before I get round to
doing the write buffering.

(One other thing to point out is that if you are
authenticating using PAM, certain PAM modules incorporate
delays when an incorrect password is received. This
freezes the whole daemon -- and all connections in the
authorisation state. I hate PAM....)

> - multiple mysql servers (we'll be using a mysql cluster). I've
> seen that this feature has been added to the TODO file in CVS and
> I'm willing to implement it. I've already done a small patch that
> seem to work but it still has a few problems. I'll keep working on
> it.

Excellent. What approach are you using?

``I believe I am the only living man to deliberately
  place his hands in the mouth of an attacking cougar.'' (Clarence Hall)