Account and Password Lockout

Account lockout policy is modeled on policies with a history of great success on internal corporate server systems. If a user enters 5 consecutive incorrect passwords in a row the account will be disabled for a period of time.

Further the lockout period is calculated as 5/t * 3 hours, where t is the time in minutes between the first error and the fifth error. Thus, if the account is under automated attack the lockout duration is increased proportionately to the speed of attack.

The minimum lockout is 3 hours. As compared to account deletion, this approach minimises system admin intervention because the account will come alive again without further action through the passage of time.

This is an effective defense against automated password crackers or password hurlers because each username can only have 5 tries before locking out. Subsequent requests are refused without further analysis or acknowledgement.

A password cracker or password hurler can actually try the correct password on the sixth try but gets no positive feedback. The correct password is then assumed to be incorrect and is dropped from the list. Additionally, the attacker will suffer significant delays while waiting for acknowledgments which never arrive.


Password Protection
Password Recovery
table of contents
full printable document





password protection ...
... industrial strength
distributed password protection
iis basic authentication
iis digest authentication

copyright(c) 2003
all rights reserved

design -