Re: Brute force credentials protection

[Dexter Caldwell <dexter.caldwell () FURMAN EDU>]

The article makes valid points, we've been ok with using the threshold though with something less than 15 attempts.  
Yes, it does require users to learn how to change passwords.  This is a repercussion of single-signon.  But keep in 
mind, the pain is also relative to your password expiry and even complexity settings, so my advice is that we should 
use password policy tools with the right mix to our advantage rather than excluding any options from the toolbag by 
policy.




-----Original Message-----
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Maud, Phil
Sent: Tuesday, March 5, 2019 6:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Brute force credentials protection

This makes interesting reading

https://ravingroo.com/295/active-directory-account-lockout-policy-threshold-counter-strong-password/

Regards

Phil Maud
Information Security Analyst
Information Services, Building 63 (IT) G7
E: P.H.Maud () cranfield ac uk
T: +44 (0) 1234 75 4879  


-----Original Message-----
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Mike Dronen
Sent: 04 March 2019 20:04
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Brute force credentials protection

All - Looks like it's been a while since this topic has come up in the forum. I'm wondering how you protect against 
brute force password attempts, i.e. two-factor auth. In our environment we set an attribute in AD to lock the user 
account for a prescribed period of time after four failed attempts. This appears to work for us. Just wondering if 
there are other mechanisms just as good or better? Thanks.