account lockout best practice

i am looking into account lockout best practice configurations for failed login attempts/brute force. for one of our web applications the administrator has configured locking an account after 10 failed login attempts in a 60 second window. This seems a rather unusual setting based on other recommendations I have read on account lockout. Does anyone have a view if this setting poses a risk in anyway, or if any password attack tools can be configured to work around this setting e.g. a slower approach on how many it attempts each minute, and if so a more suitable suggestion of values?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can the administrator do based on 3 or 5 failed logons, regardless of timeframe? If it has to be within the timeframe of a minute, then I would lower that threshold to 3. A user could realistically make that many attempts in a minute.
slightwv (䄆 Netminder) Commented:
>>or if any password attack tools can be configured to work around this setting

Tools can be configured to do anything.  The catch is knowing the configured settings to be able to code around them.  That would take inside knowledge.

As far as if that app is acceptable or not, it depends.  Every shop should have a set of "standards" that should be a minimum that must be met.  Then you look at the apps on a case by case basis to see if you need tighter controls.

I would lock down web access to a payroll system a LOT tighter than a company intranet site where people can post cat pics.
btanExec ConsultantCommented:
It may be possible for such multiple short attempts assuming it is login using smartphone which can be thumb unfriendly prone to error keys.

Another scenario that is much less likely is coding did not clear entries on each failed attempt so unintentional multiple attempts (e.g. no screenlock phone put into pocket cramped and pressed by other objects) are then treated as "attack".

Best is to enforce 2Fa and on each failed attempt create a "delay" checks (e.g. increase wait out timer for that user) to slow down the attempts.
 Acronis Global Cyber Summit 2019 in Miami

The Acronis Global Cyber Summit 2019 will be held at the Fontainebleau Miami Beach Resort on October 13–16, 2019, and it promises to be the must-attend event for IT infrastructure managers, CIOs, service providers, value-added resellers, ISVs, and developers.

I would choose stronger lockout criteria, such as not resetting the bad lockout counts. When my users get locked out, it takes manual action to unlock. Any motivated attacker can slow down the attack rate. In addition, password spraying will try common passwords across all your users, which standard account lockout rules don't protect against, as each account might only see 1-5 bad passwords.

See these two links for some more information about password spraying.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
For author advice
slightwv (䄆 Netminder) Commented:
I'm curious.  If you find comments helpful, can I ask why they weren't accepted as part of the solution?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Applications

From novice to tech pro — start learning today.