Yesterday's news » New password locking guidelines

Skip to content
Skip to menu

Nov 22 2010

New password locking guidelines

Category: Uncategorized — zvolkov @ 10:43 am

(Inspired by a security.stackexchange.com question)

Locking the account after 3 attempts may seem like a good security measure but it may be very perplexing for the user. Having secret questions as a way to unlock the account is a hole in security. Having the admins having to unlock the accounts does not scale well.

If you think about it, the only reason we put the lockout in place is to prevent the brute force password attacks.

Here are the new guidelines from Bill Cheswick of AT&T at OWASP AppSec 2010 conference that are designed to address these issues:

Don’t count the same invalid password reentered multiple times in a row towards the lockout limit;
Instead of having users setup secret question which effectively is a (weak) secondary password, have them setup password hint that would remind them what the primary password is;
Lock the account temporarily, in increasing time increments: e.g. 5, 10, 20, 60 mins

Comments Off

Comments are closed.

Andrei Volkov

Geek, buddhist, father. Besides geeky stuff I enjoy meditation, vinyl, and hiking.
Links
if I don't post here for a while, check out The Way Of The Future, my other blog

Tried and True tools - my tools list
Recent Posts
Twitter – @zvolkov
- Blogged: An improved comma-separated-values array model binder http://t.co/6QxKFj6A 1 week ago
- Blogged: http://t.co/1yzVR7s9 MVC build URL based on current URL http://t.co/3fEvvmf6 1 week ago
- http://t.co/XgD95yum -- Linux notebooks from Lenovo, Sony, Dell, Panasonic with custom kernel for full hardware support, updates etc. 1 month ago
- Blogged: 9 not so obvious software development principles learned the hard way http://t.co/CmAIzqFy 1 month ago
- Getting ready for my annual meditation retreat. Basically, will spend this weekend in a closet. See you on the other side! 1 month ago
- Wow I had no idea there were legal brothels in Nevada http://t.co/fSORTL2p 2 months ago
- Static typing is like modeling with Lego blocks. Dynamic duck-typing is like modeling with clay. As of recent, I find the blocks limiting. 2 months ago
- RavenDb's .Statistics(out stats) is a nice little gem! 2 months ago
- Figured out the cause of the dehydration I've been experiencing lately. (Not vodka!) Damn vitamin D3 suggested by my physician. 2 months ago
- Did I ever tell you I ran a company? Well, it was more like a wholly owned subsidiary but still. For 3 years, in Ukraine. With 6 employees. 2 months ago
- Funny. Still, I'd expect a chef to know what proteins are, and at what temperature they denaturate. That science thing. http://t.co/tsvVCXld 2 months ago
- Ppl change so radically as they age, it's hard to believe this pretentious old lady ever was an easygoing girl. Or was she always like this? 2 months ago
- In enterprise software development, what's the best way to solve many tough problems fast? Answer: The secret is to solve them *poorly*! 2 months ago
- Ever wandered what would happen if you tweeted "I'm going to destroy America"? http://t.co/cPAU2o9a 2 months ago
- Calm down my little brain, it is all an illusion anyway. G'night 2 months ago
- Marveling at the miracle that WebSocket protocol is: http://t.co/diNSPfSx 2 months ago
- В этой фразе вся политическая ситуация на Украине: "В Харькове подожгли Lexus судьи." 2 months ago
- Anyone knows domain name registrar other than GoDaddy or dnsimple? Looking for a super-awesome one, of course, would have googled othewise 2 months ago
- "Our foundation won’t last long beyond Melinda’s and my lifetime. My kids will make their own careers." - Bill Gates http://t.co/ufIa58t0 2 months ago
- Stuck with EF? Vote for improvements: http://t.co/LPM7VtnT 2 months ago