Link to home
Get AccessLog in
Avatar of Pau Lo
Pau Lo

asked on

account lockout best practice

i am looking into account lockout best practice configurations for failed login attempts/brute force. for one of our web applications the administrator has configured locking an account after 10 failed login attempts in a 60 second window. This seems a rather unusual setting based on other recommendations I have read on account lockout. Does anyone have a view if this setting poses a risk in anyway, or if any password attack tools can be configured to work around this setting e.g. a slower approach on how many it attempts each minute, and if so a more suitable suggestion of values?
Avatar of masnrock
Flag of United States of America image

Can the administrator do based on 3 or 5 failed logons, regardless of timeframe? If it has to be within the timeframe of a minute, then I would lower that threshold to 3. A user could realistically make that many attempts in a minute.
Avatar of slightwv (䄆 Netminder)
slightwv (䄆 Netminder)

>>or if any password attack tools can be configured to work around this setting

Tools can be configured to do anything.  The catch is knowing the configured settings to be able to code around them.  That would take inside knowledge.

As far as if that app is acceptable or not, it depends.  Every shop should have a set of "standards" that should be a minimum that must be met.  Then you look at the apps on a case by case basis to see if you need tighter controls.

I would lock down web access to a payroll system a LOT tighter than a company intranet site where people can post cat pics.
It may be possible for such multiple short attempts assuming it is login using smartphone which can be thumb unfriendly prone to error keys.

Another scenario that is much less likely is coding did not clear entries on each failed attempt so unintentional multiple attempts (e.g. no screenlock phone put into pocket cramped and pressed by other objects) are then treated as "attack".

Best is to enforce 2Fa and on each failed attempt create a "delay" checks (e.g. increase wait out timer for that user) to slow down the attempts.
Avatar of kevinhsieh
Flag of United States of America image

Link to home
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access
For author advice
I'm curious.  If you find comments helpful, can I ask why they weren't accepted as part of the solution?