Angels of security » 2008 » May

Archive for May 11th, 2008

password lockouts

Sunday, May 11th, 2008

Has anyone ever stopped to ask themselves why they set password lockouts to 3 or 5? (The so-called “industry standard”). There are plenty of people who accidentally lock themselves out in 3 or 5 tried, and end up having to call the helpdesk (or equivalent) for a password reset. If the limits were raised to 10 or 20, it would probably greatly reduce those calls.

Generally passwords are much easier to obtain through human factors than brute force attacks. No additional security is gained by lowering the lockout from 20 to 3 as 20 attempts is still not enough to break in a brute force attack, and any password that can be guessed in 20 attempts can just as easily be guessed in 3.

Tags: brute force, passwords
Posted in Access Control Systems & Methodology | 2 Comments »

About this blog

This is not your normal information security blog. This blog is where I vent and struggle against the standards of infosec orthodoxy (wow - I can't even believe there is such a thing). If you're looking for a place to just get the standard security professional line on everything then this is not the place for you. This is a place to read the opinions (and I have many) of someone who often disagrees with standard conventions and isn't afraid to say so.