Educause Security Discussion mailing list archives
Re: Account Lockout Settings
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Wed, 28 Apr 2010 14:57:25 +1200
On 28/04/2010, at 7:32 AM, Roger Safian wrote:
At 02:25 PM 4/27/2010, Rivers, Andrew E put fingers to keyboard and wrote:As our users change their password, it never fails that at least one of these many devices will continue to authenticate with the old password and, as you guessed, lock out their account.Our group advocates the use of lockouts that expire after some point of time. Lockouts that don't expire can just be used as a denial of service attack.
Amen. If you enforce good passwords up front the need for lock out largely disappears as the accounts are not vulnerable password guessing. UNIX approach to this is to for a network reconnect after 3 attempts - this dramatically slows down guessing attempts. I have seen many brute force attempts on ftp accounts in my snort logs -- typically attackers give up on UNIX boxes after about 100 attempts but the same attackers will try a 1000 times on a windows server. (figures are order of magnitude ;) Presumably because windows never drops the session. R
Current thread:
- Account Lockout Settings Rivers, Andrew E (Apr 27)
- <Possible follow-ups>
- Re: Account Lockout Settings Roger Safian (Apr 27)
- Re: Account Lockout Settings Russell Fulton (Apr 27)