Security of the IM2000 session authentication mechanisms

Brute force attacks against authentication

Authentication transactions in the IM2000 protocols are designed to prevent leakage of information in the event of an authentication failure. The client is not informed of the exact reason for the authentication failure, preventing attacks whereby clients can guess account names without having to supply passwords.

Servers may employ mechanisms that

limit the number of times that authentication can fail per session and then fail all subsequent authentication transactions in that session,
limit the number of times that authentication can fail per account and then fail all subsequent authentication attempts for that account until reset by an out-of-band means, or
introduce delays before sending responses if too many consecutive authentication attempts fail.

© Copyright 2004-2004 Jonathan de Boyne Pollard. All rights reserved. "Moral" rights asserted.
Permission is hereby granted to copy and to distribute this web page in its original, unmodified form as long as its last modification datestamp information is preserved.