On 7/15/09, David Wilson <david.t.wilson@gmail.com> wrote:
> On Wed, Jul 15, 2009 at 11:10 AM, Marko Kreen<markokr@gmail.com> wrote:
> > From security standpoint, wasting more cycles on bad passwords is good,
> > as it decreases the rate bruteforce password scanning can happen.
> >
> > And I cannot imagine a scenario where performance on invalid logins
> > can be relevant..
>
>
> DoS attacks. The longer it takes to reject an invalid login, the fewer
> invalid login attempts it takes to DoS the server.
No, this is not a good argument against it. Especially if you consider
that DoS via hanging-connect or SSL is still there.
Compared to minor DoS, the password-leakage is much worse danger.
--
marko