Re: Account Lockout Policies

[Gary Flynn <flynngn () JMU EDU>]

I'd recommend sitting down with the internal auditors and/or
external consultants. Find out what security threat they are
attempting to address with their recommendations. Discuss
other mitigation possibilities. Also discuss the threat and
implications to the organization of a denial of service and
how the recommendations affect associated risks. Finally,
discuss the effect on the organization - its employees
being locked out, the support organization unlocking the
accounts, and the authentication process before the account
can be unlocked.

Many applications and platforms incorporate a delay before
reprompting after an unsuccessful login. That feature makes
brute force guessing impractical. In my opinion, under those
circumstances, a lockout after 10, 20, or even 30 unsuccessful
attempts is more than adequate and more realistically
addresses security vs usability vs denial of service risk.
A high threshold reduces false positives due to operator
error while providing little increased risk. Its a shame that
Microsoft doesn't incorporate such a delay in the Windows
login process but the increased probability of guessing
a password with 30 tries over the probability of guessing
it with five tries is infinitesimal.

Automatically reversing the lockout after a predetermined
period of perhaps 30 minutes would be acceptable in the
interest of customer service and provide some automated
denial of service response and recovery.

However, I believe relying on such features are somewhat
antiquated and misguided. A more appropriate security measure
would be that repeated unsuccessful logins and lockout events
generate security events for humans or automated log monitoring
processes to classify and investigate. Depending upon lockouts
is an invitation for a mass denial of service attack. Consider
how easy it would be to incorporate such functionality in a
worm and the resulting effects.

Intelligent account usage auditing is going to be more and more
necessary as we open more and more services to SSO functionality
and identity management systems. Login successes, where they come
from, at what time, and how often, will be as much or more more
important than login failures. This will even be true with
enhanced authentication technologies such as two-factor and
PKI as threats evolve to compromise and circumvent them...perhaps
even more so as they're often associated with elevated access
privileges. The financial sector's "risk based authentication"
and fraud detection techniques will become more common.



--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature