Educause Security Discussion mailing list archives
Re: Account Lockout Policies
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Tue, 11 Jul 2006 17:52:02 -0400
On Tue, 11 Jul 2006 16:07:30 EDT, Randy Marchany said:
We use 3 attempts before lockout, but the duration is short. The point is to stop automated attempts and random guessing so I don't see much point in locking "forever".Time to become the pinata :-).
If anybody cares, one of the earliest cites on login attempts is probably the DoD 'Rainbow Series' manual on password management (April 1985). It's important to note that at least in this manual, the *goal* (limit the upper bound of guesses) is clearly understood - I'm not convinced that most auditors have as good a grasp on the *why* as the Rainbow Series guys did. Also relevant here is a posting to this list by Gene Spafford back from April 11, regarding password aging requirements, which is the flip side of the same coin. Figuring out how well the current Internet-full-of-zombies threat model matches the original DoD threat model, and what that implies, is left as an exersize for the reader (but refer back to Spaf's posting, it makes a great cheat sheet). http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/ Print this one out, and give it to your auditor. Have them think about the issues Spaf raises - they apply to both login rate limiting and password aging. And the historical record: http://csrc.nist.gov/secpubs/rainbow/std002.txt 4.3.4 Login Attempt Rate By controlling the rate at which login attempts can be made (where each attempt constitutes a guess of a password), the number of guesses a penetrator can make during a password's lifetime is limited to a known upper bound. To control attacks where a penetrator attempts many logins through a single access port, the password guess rate should be controlled on a per-access port basis. That is, each access port should be individually controlled to limit the rate at which login attempts can be made at each port. When a penetrator can easily switch among multiple access ports, it is recommended that the password guess rate also be controlled on a per-user ID basis. It is recommended that maximum login attempt rates fall within the range of one per second to one per minute. This range provides reasonable user-friendliness without permitting so many login attempts that an extremely large password space or an extremely short password lifetime is necessary. See Appendix C for a discussion of the relationship between the guess rate, password lifetime, and password space. Note that it is not intended that login be an inherently slow procedure, for there is no reason to delay a successful login. However, in the event of an unsuccessful login attempt, it is quite reasonable to use an internal timer to enforce the desired delay before permitting the next login attempt. The user should not be able to bypass this procedure.
Attachment:
_bin
Description:
Current thread:
- Account Lockout Policies Saburo Usami (Jul 11)
- <Possible follow-ups>
- Re: Account Lockout Policies Eric Brewer (Jul 11)
- Re: Account Lockout Policies Graham Toal (Jul 11)
- Re: Account Lockout Policies Cheek, Leigh (Jul 11)
- Re: Account Lockout Policies Valdis Kletnieks (Jul 11)
- Re: Account Lockout Policies Cheek, Leigh (Jul 11)
- Re: Account Lockout Policies Randy Marchany (Jul 11)
- Re: Account Lockout Policies Gary Flynn (Jul 11)
- Re: Account Lockout Policies Gary Dobbins (Jul 11)
- Re: Account Lockout Policies Valdis Kletnieks (Jul 11)
- Re: Account Lockout Policies Russell Fulton (Jul 12)
- Re: Account Lockout Policies jack suess (Jul 12)
- Re: Account Lockout Policies Gary Flynn (Jul 13)
- Re: Account Lockout Policies Jonny Sweeny (Jul 14)
- Re: Account Lockout Policies Graham Toal (Jul 14)