This will be implemented next. Rationale:
- preventing compromised user accounts (such as www-data) from bruteforcing other accounts
- short passwords secure against “online” attacks
Please suggest pam_tally2
vs pam_tally
vs other pam lockout plugins.
Please also suggest defaults. After 5 or 10 failed login attempts, lock the account forever and require the user to boot into single user / recovery mode to unlock?
5 or 10 attempts are not enough for any reasonable burtefoce? Even a common word plus a few numbers would be secure enough?