Home | Projects | Library | Blog
«
»

password lockouts

Has anyone ever stopped to ask themselves why they set password lockouts to 3 or 5? (The so-called “industry standard”). There are plenty of people who accidentally lock themselves out in 3 or 5 tried, and end up having to call the helpdesk (or equivalent) for a password reset. If the limits were raised to 10 or 20, it would probably greatly reduce those calls.

Generally passwords are much easier to obtain through human factors than brute force attacks. No additional security is gained by lowering the lockout from 20 to 3 as 20 attempts is still not enough to break in a brute force attack, and any password that can be guessed in 20 attempts can just as easily be guessed in 3.

Tags: ,

This entry was posted on Sunday, May 11th, 2008 at 6:31 pm and is filed under Access Control Systems & Methodology. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

2 Responses to “password lockouts”

  1. Ty Sbano Says:
    June 20th, 2008 at 1:50 pm

    I disagree… I stand by three. Cause three is my favorite number.

  2. Brian Says:
    July 10th, 2008 at 9:11 pm

    I agree that increasing the number is an acceptable change. What concerns me is the “IT Security” audit recommendation to lockout forever. I got into a large argument with an audit supervisor over this. His idea is to follow blindly even if the recommendation creates a DOS vulnerability. Therefore any company following their “auditor’s” well thought out standards can be crippled within minutes with a simple batch file. How about 30 min lockout duration? Self healing is better than dead in the water. And any attacker desperate enough to attempt to brute force accounts will move on after having to wait for eternity every N tries.

  
Pi is exactly 3!