"Daniel Engovatov" <
dengovatov@crosslogix.com> wrote: >Completely disagree. Every single security system differentiates between, >say, "incorrect password" and "service not available". OSF DCE, Apollo Domain, and HP-UX all are very careful NOT to make any distinctions (I've worked on lots of other systems, but not recently enough to speak with reliance on my memory). The systems I've worked with even introduce intentional delays so that a user can't tell whether a login attempt failed due to invalid user name, invalid password, some service not available, etc. This is to avoid leaking any information that might help an attacker. Login either succeeds or it fails, and the time it takes to get a response is the same in either case. Anne Anderson
Anne.Anderson@Sun.COM Internet Security Research Group, Sun Labs Sun Microsystems, Inc., Burlington, MA