shibboleth-dev - Re: [Shib-Dev] online attack resistance for UserPassword
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: [Shib-Dev] online attack resistance for UserPassword
- Date: Tue, 31 May 2011 17:02:16 -0400
It's not really a Shib topic. Either your authentication system does
it or it doesn't. If it doesn't, that's where you need to added the
features you require.
On Tue, May 31, 2011 at 16:59, Leif Johansson
<>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> While investigating popular identity assurance schemes we've (as in
> SWAMID) run across a common theme: password strength requirements.
>
> Specifically both InCommon Silver/Bronze, OIX FICAM LoA1, etc refer
> to Appendix A of NIST SP800-63 which contains a discussion on pass-
> word strength in terms of entropy.
>
> In their OIX application process [1], Google by way of Eric Sachs
> argues for rate-limiting using CAPTCHAs as a way to reduce the
> practicality of online password guessing attempts.
>
> Has this topic - rate-limiting authentication in the shib idp with
> or without CAPTCHAs or other mechanisms - been discussed in the shib
> developer community before? Does it seem like a viable option?
>
> Cheers Leif
>
> [1] http://sites.google.com/site/oauthgoog/Home/passwordentropy
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk3lVrcACgkQ8Jx8FtbMZndI4gCgyFISNhWcH4eMuJqwk3UBUe2i
> 6VgAnjcfsaYnMYmtbBZeoRbgfOJxkFH8
> =Fo3r
> -----END PGP SIGNATURE-----
>
--
Chad La Joie
www.itumi.biz
trusted identities, delivered
- [Shib-Dev] online attack resistance for UserPassword, Leif Johansson, 05/31/2011
- Re: [Shib-Dev] online attack resistance for UserPassword, Chad La Joie, 05/31/2011
- Re: [Shib-Dev] online attack resistance for UserPassword, Leif Johansson, 05/31/2011
- Re: [Shib-Dev] online attack resistance for UserPassword, Chad La Joie, 05/31/2011
- Re: [Shib-Dev] online attack resistance for UserPassword, Leif Johansson, 05/31/2011
- Re: [Shib-Dev] online attack resistance for UserPassword, Peter Schober, 05/31/2011
- Re: [Shib-Dev] online attack resistance for UserPassword, Chad La Joie, 05/31/2011
- Re: [Shib-Dev] online attack resistance for UserPassword, Chad La Joie, 05/31/2011
- Re: [Shib-Dev] online attack resistance for UserPassword, Chad La Joie, 05/31/2011
- Re: [Shib-Dev] online attack resistance for UserPassword, Chad La Joie, 05/31/2011
Archive powered by MHonArc 2.6.16.