Lockout is the feature that automatically disables a user account once a pre-determined number of failed logon attempts have occurred. Lockout is a primary defense against brute-force attacks. A brute-force attack attempts to log into a system with a known user account name by repeatedly trying different password combinations. Lockout works great against local physical access attempts and remote or network access attempts. However, lockout does not work against attacks through FTP.
Lockout should be a key part of an organization's security policy. There are three elements to defining the lockout policy:
- Failed logon attempts -- the number of times a logon can fail before the account is locked out.
- Lockout duration -- the length of time an account is locked out. If this is set to infinite then an administrator or account manager must re-enable the account manually.
- Failed logon counter reset interval -- the length of time before the count of failed logons is reset to 0.
In most cases, a lockout duration of 15 minutes is more than sufficient to thwart a brute-force attack, but at the same time, not require the intervention of an administrator every time a user fumbles their logon multiple times. Most organizations allow three-to-five failed logon attempts before disabling the user account and a counter reset interval of 15 to 30 minutes.
Lockout by itself is a useful deterrent, but it should always be combined with logon
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
Related book Authentication: From passwords to public keys
By Richard E. Smith
This book gives readers a clear understanding of what an organization needs to reliably identify its users and how the different techniques for verifying identity are executed.
This was first published in February 2002