We help IT Professionals succeed at work.

account lockout best practice

Last Modified: 2018-09-16
i am looking into account lockout best practice configurations for failed login attempts/brute force. for one of our web applications the administrator has configured locking an account after 10 failed login attempts in a 60 second window. This seems a rather unusual setting based on other recommendations I have read on account lockout. Does anyone have a view if this setting poses a risk in anyway, or if any password attack tools can be configured to work around this setting e.g. a slower approach on how many it attempts each minute, and if so a more suitable suggestion of values?
Watch Question

Distinguished Expert 2019

Can the administrator do based on 3 or 5 failed logons, regardless of timeframe? If it has to be within the timeframe of a minute, then I would lower that threshold to 3. A user could realistically make that many attempts in a minute.
Most Valuable Expert 2012
Distinguished Expert 2019

>>or if any password attack tools can be configured to work around this setting

Tools can be configured to do anything.  The catch is knowing the configured settings to be able to code around them.  That would take inside knowledge.

As far as if that app is acceptable or not, it depends.  Every shop should have a set of "standards" that should be a minimum that must be met.  Then you look at the apps on a case by case basis to see if you need tighter controls.

I would lock down web access to a payroll system a LOT tighter than a company intranet site where people can post cat pics.
btanExec Consultant
Distinguished Expert 2019

It may be possible for such multiple short attempts assuming it is login using smartphone which can be thumb unfriendly prone to error keys.

Another scenario that is much less likely is coding did not clear entries on each failed attempt so unintentional multiple attempts (e.g. no screenlock phone put into pocket cramped and pressed by other objects) are then treated as "attack".

Best is to enforce 2Fa and on each failed attempt create a "delay" checks (e.g. increase wait out timer for that user) to slow down the attempts.
Network Engineer
This one is on us!
(Get your first solution completely free - no credit card required)
btanExec Consultant
Distinguished Expert 2019

For author advice
Most Valuable Expert 2012
Distinguished Expert 2019

I'm curious.  If you find comments helpful, can I ask why they weren't accepted as part of the solution?

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.