Re: assessing an authentication service

[Jeff Giacobbe <giacobbej () MAIL MONTCLAIR EDU>]

David Lassner wrote:

> It should be the goal of every IT environment that, at the very least:
...

>        4. EVERY system locks up an account if a password is entered
>           incorrectly N times in succession.

Colleagues-

Personally, I've never been a fan of this particular security policy.
While it may have some benefit in protecting accounts from unauthorized
use (and that's debatable), IMHO any benefit is far outweighed by the
potential for denial of service that this policy facilitates.

It is far too easy for an external attacker, disgruntled employee,
student prankster, etc to "lock" anyone's account by simply attempting
to log in "N" times.  It would also be trivial to write an automatic
Expect script to run through every user account in the enterprise and
lock them out at will.

I prefer a system whereby N successive incorrect logins trigger an alert
to the sysadmins and/or Help Desk. That way they can contact the account
owner to determine if the owner simply forgot his/her password, or if
some hacking attempt was occurring.

--
Jeff Giacobbe
Dir. of Systems, Security, Networking
Montclair State University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.