On May 29, 2008, at 12:26, I wrote: > Using timestamp preauth and guessing the wrong salt would be > counted as a failed attempt, I think, so guessing seems like a bad > idea for your SOP. Ah, actually looking at the code for the first time in way too long, I see that we reset the counter on a successful authentication, so, "never mind". :) Does Heimdal do failed-attempt tracking too? Ken