Reply to post: Account lockouts?

2FA? We've heard of it: White hats weirded out by lack of account security in enterprise

Joe Montana

Account lockouts?

Why would you implement account lockouts? that's a monumentally stupid idea...

Usernames are often predictable, and frequently not even secret at all. An attacker can work out all your usernames and then intentionally get all the accounts locked, irrespective of how good those user's passwords were.

Similarly even if you lock accounts after say 5 attempts, that means an attacker can still perform 4 attempts per user - if you have many users, at least some of them will have common passwords like Password1 or Welcome1 etc.

A network based brute force is slow and will only ever succeed against extremely weak passwords anyway, so long as you have a half decent password policy no such attempts will succeed. And you should have half decent monitoring too, so you notice attacks. Simply relying on account lockouts is stupid.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon