http://angelsofsecurity.com/blog/2008/05/11/password-lockouts/ Musings of an infosec renegade Tue, 19 Jul 2011 19:43:52 +0000 hourly 1 http://wordpress.org/?v=3.2.1 http://angelsofsecurity.com/blog/2008/05/11/password-lockouts/comment-page-1/#comment-697 Brian Fri, 11 Jul 2008 04:11:59 +0000 http://angelsofsecurity.com/blog/2008/05/11/password-lockouts/#comment-697 I agree that increasing the number is an acceptable change. What concerns me is the "IT Security" audit recommendation to lockout forever. I got into a large argument with an audit supervisor over this. His idea is to follow blindly even if the recommendation creates a DOS vulnerability. Therefore any company following their "auditor's" well thought out standards can be crippled within minutes with a simple batch file. How about 30 min lockout duration? Self healing is better than dead in the water. And any attacker desperate enough to attempt to brute force accounts will move on after having to wait for eternity every N tries. I agree that increasing the number is an acceptable change. What concerns me is the “IT Security” audit recommendation to lockout forever. I got into a large argument with an audit supervisor over this. His idea is to follow blindly even if the recommendation creates a DOS vulnerability. Therefore any company following their “auditor’s” well thought out standards can be crippled within minutes with a simple batch file. How about 30 min lockout duration? Self healing is better than dead in the water. And any attacker desperate enough to attempt to brute force accounts will move on after having to wait for eternity every N tries.

]]> http://angelsofsecurity.com/blog/2008/05/11/password-lockouts/comment-page-1/#comment-630 Ty Sbano Fri, 20 Jun 2008 20:50:03 +0000 http://angelsofsecurity.com/blog/2008/05/11/password-lockouts/#comment-630 I disagree... I stand by three. Cause three is my favorite number. I disagree… I stand by three. Cause three is my favorite number.

]]>