Someone trying to brute force SSH on my Linux machine (sucker! I require two factor authentication!), has brought account lockouts to the forefront of my thought process. Many people say that after 3 failed login attempts you should lock out an account and force the user to get a password reset. This is one case where I think the current security paradigm is way too strict and reactionary. Users frequently forget passwords and require 5 or 6 login attempts to get it right. (This is especially true for accounts that people log into infrequently such as an IRA, 401K, or CD account). Everyone realizes that the lower you set the threshold for account lockouts, the higher the overhead becomes, it’s simply another tradeoff that people have decided to make for security. However, I still can’t fathom why such a low number became commonplace. Let’s say the number was raised to 10, or even 100. How many accounts can be brute forced in 10 or 100 tries? If they can, you probably have other problems, and need to improve your password policy. I simply can’t see what real risk would be posed by raising your failed login limit from 3 to 5 or 10.

This entry was posted on Wednesday, November 14th, 2007 at 12:50 pm by admin and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.