Re: Account Lockout Policies

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Tue, 11 Jul 2006 16:07:30 EDT, Randy Marchany said:
> > We use 3 attempts before lockout, but the duration is short.  The point
> > is to stop automated attempts and random guessing so I don't see much
> > point in locking "forever".
>
> Time to become the pinata :-).

If anybody cares, one of the earliest cites on login attempts is probably
the DoD 'Rainbow Series' manual on password management (April 1985).  It's
important to note that at least in this manual, the *goal* (limit the
upper bound of guesses) is clearly understood - I'm not convinced that most
auditors have as good a grasp on the *why* as the Rainbow Series guys did.

Also relevant here is a posting to this list by Gene Spafford back from
April 11, regarding password aging requirements, which is the flip side of
the same coin.

Figuring out how well the current Internet-full-of-zombies threat model matches
the original DoD threat model, and what that implies, is left as an exersize
for the reader (but refer back to Spaf's posting, it makes a great cheat sheet).

http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/

Print this one out, and give it to your auditor.  Have them think about the
issues Spaf raises - they apply to both login rate limiting and password aging.

And the historical record:

http://csrc.nist.gov/secpubs/rainbow/std002.txt

4.3.4 Login Attempt Rate

      By controlling the rate at which login attempts can be made (where each
attempt constitutes a guess of a password), the number of guesses a penetrator
can make during a password's lifetime is limited to a known upper bound.  To
control attacks where a penetrator attempts many logins through a single
access port, the password guess rate should be controlled on a per-access port
basis.  That is, each access port should be individually controlled to limit
the rate at which login attempts can be made at each port.  When a penetrator
can easily switch among multiple access ports, it is recommended that the
password guess rate also be controlled on a per-user ID basis.  It is
recommended that maximum login attempt rates fall within the range of one per
second to one per minute.  This range provides reasonable user-friendliness
without permitting so many login attempts that an extremely large password
space or an extremely short password lifetime is necessary.  See Appendix C
for a discussion of the relationship between the guess rate, password
lifetime, and password space.  Note that it is not intended that login be an
inherently slow procedure, for there is no reason to delay a successful login.
However, in the event of an unsuccessful login attempt, it is quite reasonable
to use an internal timer to enforce the desired delay before permitting the
next login attempt.  The user should not be able to bypass this procedure.

Attachment: _bin
Description: