account lockout best practice

pma111
pma111 used Ask the Experts™
on
i am looking into account lockout best practice configurations for failed login attempts/brute force. for one of our web applications the administrator has configured locking an account after 10 failed login attempts in a 60 second window. This seems a rather unusual setting based on other recommendations I have read on account lockout. Does anyone have a view if this setting poses a risk in anyway, or if any password attack tools can be configured to work around this setting e.g. a slower approach on how many it attempts each minute, and if so a more suitable suggestion of values?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
Can the administrator do based on 3 or 5 failed logons, regardless of timeframe? If it has to be within the timeframe of a minute, then I would lower that threshold to 3. A user could realistically make that many attempts in a minute.
Most Valuable Expert 2012
Distinguished Expert 2018

Commented:
>>or if any password attack tools can be configured to work around this setting

Tools can be configured to do anything.  The catch is knowing the configured settings to be able to code around them.  That would take inside knowledge.

As far as if that app is acceptable or not, it depends.  Every shop should have a set of "standards" that should be a minimum that must be met.  Then you look at the apps on a case by case basis to see if you need tighter controls.

I would lock down web access to a payroll system a LOT tighter than a company intranet site where people can post cat pics.
btanExec Consultant
Distinguished Expert 2018

Commented:
It may be possible for such multiple short attempts assuming it is login using smartphone which can be thumb unfriendly prone to error keys.

Another scenario that is much less likely is coding did not clear entries on each failed attempt so unintentional multiple attempts (e.g. no screenlock phone put into pocket cramped and pressed by other objects) are then treated as "attack".

Best is to enforce 2Fa and on each failed attempt create a "delay" checks (e.g. increase wait out timer for that user) to slow down the attempts.
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

Network Engineer
Commented:
I would choose stronger lockout criteria, such as not resetting the bad lockout counts. When my users get locked out, it takes manual action to unlock. Any motivated attacker can slow down the attack rate. In addition, password spraying will try common passwords across all your users, which standard account lockout rules don't protect against, as each account might only see 1-5 bad passwords.

See these two links for some more information about password spraying.
https://www.ncsc.gov.uk/blog-post/spray-you-spray-me-defending-against-password-spraying-attacks
https://www.us-cert.gov/ncas/alerts/TA18-086A
btanExec Consultant
Distinguished Expert 2018

Commented:
For author advice
Most Valuable Expert 2012
Distinguished Expert 2018

Commented:
@pma11,
I'm curious.  If you find comments helpful, can I ask why they weren't accepted as part of the solution?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial