Improve Top Secret's preparedness to defend denial of service attacks

Idea created by josef.thaler on Aug 27, 2015

    Top Secret defends attempts to guess a password by a potential attacker by Option PTHRESH(nn). If a user exceeds the specified threshold by entering the wrong password more than nn times, Top Secret suspends the acid.


    This mechanism opens a new vulnerability: If another attacker executes automated logins with random passwords to all acids of a departement, division or system, the organization could get in severe troubles, if all their acids are suspended because of too many wrong-password-attempts. This Kind of attack is called "denial of service attack". The attacker does not hack any password, but paralyzes a whole organisation.


    In a CA supportcase was clearified: "There is no way to prevent your Scenario". Right, I can not prevent an attacker to conduct an attack...


    Therefore I suggest to improve Top Secrets preparedness against such attacks by making wrong-password-processing smarter:

    either by

    - a delay of the negative answer ("wrong password") after a new customizable number of failing attempts for a customizable timeframe,   or

    - a new temporary password suspension ("TSUSPEND") after a customizable number of failing attempts  for a customizable timeframe and a "permanent PSUSPEND after a "too many" attempts.

    to slow down a running attack and to hopefully keep the organisation operative and provide to possibility to beat the attacker.


    These or similar ideas (alsways with the focus to also defend D.O.S.-Attacks) are not principally new and are already implemented in up-to-date login mechanisms. And I'd like Top Secret to have this improved security-mechanism too.


    I'd like to invite you to comment, vote or share an alternative approach to meet this business need!