Password Security at Linode
Here’s something good:
We have implemented sophisticated brute force protection for Linode Manager user accounts that combines a time delay on failed attempts, forced single threading of log in attempts from a given remote address, and automatic tarpitting of requests from attackers.
And this:
Some of you may have noticed a few changes to the Linode Manger over the past few weeks, most notably that accessing your “My Profile” and the “Account -> Users & Permissions” subtab now require password re-authentication.
The re-authentication is meant to protect your contact settings, password changes, and other preferences. The re-auth lasts for about 10 minutes, after which you’ll be asked to provide your password again on those sections of the Linode Manager.
It’s nice to see some companies implementing these sorts of security measures.
Carl 'SAI' Mitchell • April 18, 2012 1:46 PM
It depends on how they are doing the time delay. If it’s in their software, then a dump of the database of hashed, salted passwords is still rather easy to brute force. If they have used key strengthening measures (hash it a million times or so, for example) then it’s much harder to brute force.