Educause Security Discussion mailing list archives
Re: Account Lockout Policies
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 11 Jul 2006 16:14:10 -0400
I'd recommend sitting down with the internal auditors and/or external consultants. Find out what security threat they are attempting to address with their recommendations. Discuss other mitigation possibilities. Also discuss the threat and implications to the organization of a denial of service and how the recommendations affect associated risks. Finally, discuss the effect on the organization - its employees being locked out, the support organization unlocking the accounts, and the authentication process before the account can be unlocked. Many applications and platforms incorporate a delay before reprompting after an unsuccessful login. That feature makes brute force guessing impractical. In my opinion, under those circumstances, a lockout after 10, 20, or even 30 unsuccessful attempts is more than adequate and more realistically addresses security vs usability vs denial of service risk. A high threshold reduces false positives due to operator error while providing little increased risk. Its a shame that Microsoft doesn't incorporate such a delay in the Windows login process but the increased probability of guessing a password with 30 tries over the probability of guessing it with five tries is infinitesimal. Automatically reversing the lockout after a predetermined period of perhaps 30 minutes would be acceptable in the interest of customer service and provide some automated denial of service response and recovery. However, I believe relying on such features are somewhat antiquated and misguided. A more appropriate security measure would be that repeated unsuccessful logins and lockout events generate security events for humans or automated log monitoring processes to classify and investigate. Depending upon lockouts is an invitation for a mass denial of service attack. Consider how easy it would be to incorporate such functionality in a worm and the resulting effects. Intelligent account usage auditing is going to be more and more necessary as we open more and more services to SSO functionality and identity management systems. Login successes, where they come from, at what time, and how often, will be as much or more more important than login failures. This will even be true with enhanced authentication technologies such as two-factor and PKI as threats evolve to compromise and circumvent them...perhaps even more so as they're often associated with elevated access privileges. The financial sector's "risk based authentication" and fraud detection techniques will become more common. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Account Lockout Policies Saburo Usami (Jul 11)
- <Possible follow-ups>
- Re: Account Lockout Policies Eric Brewer (Jul 11)
- Re: Account Lockout Policies Graham Toal (Jul 11)
- Re: Account Lockout Policies Cheek, Leigh (Jul 11)
- Re: Account Lockout Policies Valdis Kletnieks (Jul 11)
- Re: Account Lockout Policies Cheek, Leigh (Jul 11)
- Re: Account Lockout Policies Randy Marchany (Jul 11)
- Re: Account Lockout Policies Gary Flynn (Jul 11)
- Re: Account Lockout Policies Gary Dobbins (Jul 11)
- Re: Account Lockout Policies Valdis Kletnieks (Jul 11)
- Re: Account Lockout Policies Russell Fulton (Jul 12)
- Re: Account Lockout Policies jack suess (Jul 12)
- Re: Account Lockout Policies Gary Flynn (Jul 13)
- Re: Account Lockout Policies Jonny Sweeny (Jul 14)
- Re: Account Lockout Policies Graham Toal (Jul 14)