Top Secret defends attempts to guess a password by a potential attacker by Option PTHRESH(nn). If a user exceeds the specified threshold by entering the wrong password more than nn times, Top Secret suspends the acid.
This mechanism opens a new vulnerability: If another attacker executes automated logins with random passwords to all acids of a departement, division or system, the organization could get in severe troubles, if all their acids are suspended because of too many wrong-password-attempts. This Kind of attack is called "denial of service attack". The attacker does not hack any password, but paralyzes a whole organisation.
In a CA supportcase was clearified: "There is no way to prevent your Scenario". Right, I can not prevent an attacker to conduct an attack...
Therefore I suggest to improve Top Secrets preparedness against such attacks by making wrong-password-processing smarter:
- a delay of the negative answer ("wrong password") after a new customizable number of failing attempts for a customizable timeframe, or
- a new temporary password suspension ("TSUSPEND") after a customizable number of failing attempts for a customizable timeframe and a "permanent PSUSPEND after a "too many" attempts.
to slow down a running attack and to hopefully keep the organisation operative and provide to possibility to beat the attacker.
These or similar ideas (alsways with the focus to also defend D.O.S.-Attacks) are not principally new and are already implemented in up-to-date login mechanisms. And I'd like Top Secret to have this improved security-mechanism too.
I'd like to invite you to comment, vote or share an alternative approach to meet this business need!