Educause Security Discussion mailing list archives
Re: Account Lockout Policies
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 13 Jul 2006 09:50:05 +1200
Valdis Kletnieks wrote:
On Tue, 11 Jul 2006 16:07:30 EDT, Randy Marchany said:We use 3 attempts before lockout, but the duration is short. The point is to stop automated attempts and random guessing so I don't see much point in locking "forever".Time to become the pinata :-).If anybody cares, one of the earliest cites on login attempts is probably the DoD 'Rainbow Series' manual on password management (April 1985). It's important to note that at least in this manual, the *goal* (limit the upper bound of guesses) is clearly understood - I'm not convinced that most auditors have as good a grasp on the *why* as the Rainbow Series guys did.
[ Lots of good stuff snipped ] This is where monitoring of logs suddenly becomes vitally important. If you review your authenication records regularly for failed logins (you do don't you ?) then you only have to slow down the log in attempts so it is unlikely that an attacker can brute force an account before it (the attack) is noticed. Of course all your passwords should conform to standards ;) but seeing a persistent brute force attack against an account is a good reason to make quite sure that the account is 'safe'. This is why authentications services without logging mechanism are a total disaster (MS are you listening, remember RDP?) Russell
Current thread:
- Account Lockout Policies Saburo Usami (Jul 11)
- <Possible follow-ups>
- Re: Account Lockout Policies Eric Brewer (Jul 11)
- Re: Account Lockout Policies Graham Toal (Jul 11)
- Re: Account Lockout Policies Cheek, Leigh (Jul 11)
- Re: Account Lockout Policies Valdis Kletnieks (Jul 11)
- Re: Account Lockout Policies Cheek, Leigh (Jul 11)
- Re: Account Lockout Policies Randy Marchany (Jul 11)
- Re: Account Lockout Policies Gary Flynn (Jul 11)
- Re: Account Lockout Policies Gary Dobbins (Jul 11)
- Re: Account Lockout Policies Valdis Kletnieks (Jul 11)
- Re: Account Lockout Policies Russell Fulton (Jul 12)
- Re: Account Lockout Policies jack suess (Jul 12)
- Re: Account Lockout Policies Gary Flynn (Jul 13)
- Re: Account Lockout Policies Jonny Sweeny (Jul 14)
- Re: Account Lockout Policies Graham Toal (Jul 14)