how to handle failed login attempts?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
web password is commonly used in many web applications that require
authentication. The question is what should the system do if there are
multiple consecutive failed authentication attempts with a valid
username but incorrect password? Should the system lock the account, or
don't do anything?

I tried several famous email accounts and entered the incorrect
password on purpose, but they didn't lock the account.

please discuss. thanks!!

Re: how to handle failed login attempts?

Quoted text here. Click to load it

If you do lock out, that becomes a simple was to create a denial of
service for a given user in a targeted attack.

So there are tradeoffs to a lockout.

Todd H. /

Re: how to handle failed login attempts?

On 8 Sep 2006, in the Usenet newsgroup, in article

Quoted text here. Click to load it

Please remember that there is a heck of a lot more to computers than some
wonky web browser.  The World Wide Web was invented some ten years _after_
the Internet.

Quoted text here. Click to load it

That depends on your threat model, and possibly what accounts they are.
IN GENERAL, locking the account is not usually a desired action. It's a
perfect Denial Of Service mechanism.

Quoted text here. Click to load it

A more common solution is to slow the responses after a few (perhaps three)
failed login attempts. You type in a bad username or password, and the
program at the other end of the process waits a progressively longer and
longer time to tell you that the login attempt was incorrect. This normally
has no effect on the response to a valid username/password.

Another solution often seen to zombies trying to login to an SSH server
is that the remote IP address can be blackholed - perhaps for a few minutes
or even hours.

Quoted text here. Click to load it

Practical UNIX and Internet Security, Third Edition, Garfinkel, Spafford,
and Schwartz Feb 2003, $54.95, ISBN 0-596-00323-4, 984 pages, O'Reilly

That's one of 47 different books on computer security from O'Reilly (see If UNIX is a dirty word to you, there are even a dozen books
aimed at windoze.  I'm sure there are dozens of other such books available
from other publishers as well - a google search is suggested.

        Old guy

Site Timeline