i am looking into account lockout best practice configurations for failed login attempts/brute force. for one of our web applications the administrator has configured locking an account after 10 failed login attempts in a 60 second window. This seems a rather unusual setting based on other recommendations I have read on account lockout. Does anyone have a view if this setting poses a risk in anyway, or if any password attack tools can be configured to work around this setting e.g. a slower approach on how many it attempts each minute, and if so a more suitable suggestion of values?
Web ApplicationsOS SecuritySecurity
slightwv (䄆 Netminder)
8/22/2022 - Mon
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.