Re: Account Lockout Settings

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On 28/04/2010, at 7:32 AM, Roger Safian wrote:

> At 02:25 PM 4/27/2010, Rivers, Andrew E put fingers to keyboard and wrote:
> > As our users change their password, it never fails that at least one of these many devices will continue to 
> > authenticate with the old password and, as you guessed, lock out their account.  
>
> Our group advocates the use of lockouts that expire after some point 
> of time.  Lockouts that don't expire can just be used as a denial
> of service attack.

Amen.

If you enforce good passwords up front the need for lock out largely disappears as the accounts are not vulnerable 
password guessing.

UNIX approach to this is to for a network reconnect after 3 attempts -  this dramatically slows down guessing attempts. 
 I have seen many brute force attempts on ftp accounts in my snort logs -- typically attackers give up on UNIX boxes 
after about 100 attempts but the same attackers will try a 1000 times on a windows server.  (figures are order of 
magnitude ;) Presumably because windows never drops the session.

R