Educause Security Discussion mailing list archives
Re: Account Lockout Policies
From: Graham Toal <gtoal () UTPA EDU>
Date: Tue, 11 Jul 2006 14:14:29 -0500
In addition to complexity requirements, their Best Practices recommendations include password policies set as follows: - Account Lockout Threshold: 3 Attempts - Account Lockout Duration: Administrator Unlocks We have two separate problems with this recommendation.
We would like to conform to the recommendations our auditors have made, but are having difficulty with this one. Any suggestions or insights on your experiences with Account Lockouts and/or utilities that manage this would be greatly appreciated.
Do you have the option of making the lockout apply only to the IP address that the attempt came from? Then you wouldn't (so easily) be likely to cause a denial of service. The 'administrator unlocks' is something you need to persuade your auditor may not be workable. (Something he'll probably be convinced of pretty quickly should someone malicious lock out the auditor repeatedly...) IMHO even a 5 minute auto-reenable should be enough to undo a password-guessing attack. Graham
Current thread:
- Account Lockout Policies Saburo Usami (Jul 11)
- <Possible follow-ups>
- Re: Account Lockout Policies Eric Brewer (Jul 11)
- Re: Account Lockout Policies Graham Toal (Jul 11)
- Re: Account Lockout Policies Cheek, Leigh (Jul 11)
- Re: Account Lockout Policies Valdis Kletnieks (Jul 11)
- Re: Account Lockout Policies Cheek, Leigh (Jul 11)
- Re: Account Lockout Policies Randy Marchany (Jul 11)
- Re: Account Lockout Policies Gary Flynn (Jul 11)
- Re: Account Lockout Policies Gary Dobbins (Jul 11)
- Re: Account Lockout Policies Valdis Kletnieks (Jul 11)
- Re: Account Lockout Policies Russell Fulton (Jul 12)
- Re: Account Lockout Policies jack suess (Jul 12)
- Re: Account Lockout Policies Gary Flynn (Jul 13)
(Thread continues...)