Re: Account Lockout Policies

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

Valdis Kletnieks wrote:
> On Tue, 11 Jul 2006 16:07:30 EDT, Randy Marchany said:
> > > We use 3 attempts before lockout, but the duration is short.  The point
> > > is to stop automated attempts and random guessing so I don't see much
> > > point in locking "forever".
> > Time to become the pinata :-).
>
> If anybody cares, one of the earliest cites on login attempts is probably
> the DoD 'Rainbow Series' manual on password management (April 1985).  It's
> important to note that at least in this manual, the *goal* (limit the
> upper bound of guesses) is clearly understood - I'm not convinced that most
> auditors have as good a grasp on the *why* as the Rainbow Series guys did.

[ Lots of good stuff snipped ]

This is where monitoring of logs suddenly becomes vitally important.  If
you review your authenication records regularly for failed logins (you
do don't you ?) then you only have to slow down the log in attempts so
it is unlikely that an attacker can brute force an account before it
(the attack) is noticed.  Of course all your passwords should conform to
standards ;) but seeing a persistent brute force attack against an
account is a good reason to make quite sure that the account is 'safe'.

This is why authentications services without logging mechanism are a
total disaster (MS are you listening, remember RDP?)

Russell