Avatar of Pau Lo
Pau Lo
 asked on

account lockout best practice

i am looking into account lockout best practice configurations for failed login attempts/brute force. for one of our web applications the administrator has configured locking an account after 10 failed login attempts in a 60 second window. This seems a rather unusual setting based on other recommendations I have read on account lockout. Does anyone have a view if this setting poses a risk in anyway, or if any password attack tools can be configured to work around this setting e.g. a slower approach on how many it attempts each minute, and if so a more suitable suggestion of values?
Web ApplicationsOS SecuritySecurity

Avatar of undefined
Last Comment
slightwv (䄆 Netminder)

8/22/2022 - Mon

Can the administrator do based on 3 or 5 failed logons, regardless of timeframe? If it has to be within the timeframe of a minute, then I would lower that threshold to 3. A user could realistically make that many attempts in a minute.
slightwv (䄆 Netminder)

>>or if any password attack tools can be configured to work around this setting

Tools can be configured to do anything.  The catch is knowing the configured settings to be able to code around them.  That would take inside knowledge.

As far as if that app is acceptable or not, it depends.  Every shop should have a set of "standards" that should be a minimum that must be met.  Then you look at the apps on a case by case basis to see if you need tighter controls.

I would lock down web access to a payroll system a LOT tighter than a company intranet site where people can post cat pics.

It may be possible for such multiple short attempts assuming it is login using smartphone which can be thumb unfriendly prone to error keys.

Another scenario that is much less likely is coding did not clear entries on each failed attempt so unintentional multiple attempts (e.g. no screenlock phone put into pocket cramped and pressed by other objects) are then treated as "attack".

Best is to enforce 2Fa and on each failed attempt create a "delay" checks (e.g. increase wait out timer for that user) to slow down the attempts.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

For author advice
slightwv (䄆 Netminder)

I'm curious.  If you find comments helpful, can I ask why they weren't accepted as part of the solution?