RE: Account Lockouts

[Michael Silk <michaelsilk () gmail com>]

Hi,

 A pretty easy solution exists and is to use "http://www.captcha.net/";
images before locking the account.

 I.e. 3 or 4 or N invalid attempts results in the next attempt
requiring username + password + captcha image response before being
processed.

 In this way a user can still log in (but will need to provide captcha
response) but an automated script can't regonise (hopefully :) the
captcha image so it can't force the account to be locked :)

-- Michael

PS: Gmail implements it, so you can try it next time you login to your
own account :)

-----Original Message-----
From: Harrison Gladden [mailto:hgladden () gmail com] 
Sent: Thursday, 2 December 2004 4:52 AM
To: webappsec () securityfocus com; secprog () securityfocus com
Subject: Account Lockouts

Hello all, 

My question to the group is about handling account lock outs.  Here's
the situation, assume there is a web interface that lets users log in
and do stuff, but the log-in process is constrained by the network
restrictions as well.. Meaning if a user tries to log in X times in Y
seconds and fails each time, then the account get locked out.

What are successfull techniques that could be used on the web
interface to avoid having a script run against it that would
potentially lock out 15000 user accounts, and create a headache for
the system administrators who have to manually unlock each account?

Also assume the current user account names are known by everyone.  

Possible techniques we've thrown around:
1)  Allow each user to pick their own username instead of using a
standard (i.e. First 3 letters of first name + Full last name)

2) Create a set time-out period  for each account of  X (maybe an hour) 


Hopefully my question makes sense.  

Thanks,
Harrison
--
___________________________________
Harrison Gladden <hgladden () gmail com>
Computer Engineer & Science Major
~Past experience: He who never makes 
   mistakes, never did anything that's worth.~