Account Lockout Policies
 
”Didn’t you say that you weren’t a fan of account lock-outs? Are you insane? What gives?”
 
What I said was that I'm not a huge fan of lock-outs that require a password reset by an administrator. Such a scheme provides a pretty huge disincentive for forgetting passwords, and so will tend to result in users picking passwords they can't possibly forgetand which are probably much weaker than you'd like.
 
A system which locks a user out for 5 minutes after 3 failed attempts, but then restores access automatically is still going to foil on-line password guessing with tools like Brutus and THC-Hydra. Such an attack relies on the ability to guess hundreds of passwords per minute. If I only get 3 tries per 5 minutes, I'm not going to get very far—assuming some password strength is enforced as well.
 
 
July 1, 2007, 1:15pm:
“Yeah, but wouldn’t that only slow down the brute force attack.”
 
You're absolutely correct that my suggestion only slows down the brute force attack. However, in combination with the other measures we’ve discussed, I feel it strikes a good balance between administrative costs (and user downtime) recovering from a momentarily forgotten password, and the need to mitigate that attack.
 
Password guessing attacks succeed because I can use an automated tool to make 10s or 100s of thousands of guesses. Sooner or later I'll guess correctly. But if I can wage no more than 36 guesses per hour, that'll be less than 1,000 guesses in any 24-hour period, by which time your intrusion detection or audit trail review should have picked it up (and perhaps instituted a network-layer mitigation).
 
If you don't like that math, bump it up to a 15-minute lockout. Now you're down to 12 guesses per hour, or only 288 in a day. I shouldn't be able to guess a sufficiently strong password in that few attempts.
 
Something else to consider: What happens if password resets from lockouts get so routine that your administrators stop being sufficiently diligent when authenticating the reset request? Can I now circumvent the whole system by just figuring out who's on vacation and socially engineering an admin for a password reset?
 
Just one gent’s $.02 and cost/benefit math.
 
/jonathan
Weblog Entry
Friday, June 29, 2007
 
Entry Notes
Category: I guess we can disagree
Event: Typical student request.
Weather: Ahh... summer in MT!
Other Details:
Brute force guessing is a scalar attack, and one that you can employ a bit of asymmetry against!