Q

Account lockout policy: Addressing too many failed login attempts

Learn how to create account lockout policies that details how many failed login attempts should be allowed before a password lock out in order to prevent a password dictionary attack.

For enterprise password protection, how many invalid login attempts should cause a lockout, and how long should that lockout last?

For this question, ask the enterprise policy group in your organization. There isn't really a best practice in this area, so each organization should establish its own rules. The factors that should be considered when determining the values to be placed in the policy include: any regulatory requirements your organization must comply with, risks of exposure set by your security group, the capabilities of your computing resources and, of course, productivity of the employees. After analyzing these requirements, create an account lockout policy and publish it with the rest of your policies. I've included a sample policy below:

Account lockout policy: The account lockout policy disables a user account if the user enters an incorrect password a specified number of times within a specified amount of time. These policy settings help prevent attackers from guessing users' passwords, and they decrease the likelihood of successful attacks on the organization's network. The following table describes the settings that are assigned for the account lockout.

Account lockout policy security setting Description of security setting Assigned value
Account lockout duration Determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. XX failed login attempts
Reset account lockout counter after Determines the number of minutes that must elapse after a failed login attempt before the failed login attempt counter is reset to 0 bad login attempts. XX minutes

More on this topic

 

This was first published in February 2010

Dig deeper on Password Management and Policy

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close