Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- how to handle failed login attempts?
September 8, 2006, 10:57 pm
rate this thread
authentication. The question is what should the system do if there are
multiple consecutive failed authentication attempts with a valid
username but incorrect password? Should the system lock the account, or
don't do anything?
I tried several famous email accounts and entered the incorrect
password on purpose, but they didn't lock the account.
please discuss. thanks!!
Re: how to handle failed login attempts?
Please remember that there is a heck of a lot more to computers than some
wonky web browser. The World Wide Web was invented some ten years _after_
That depends on your threat model, and possibly what accounts they are.
IN GENERAL, locking the account is not usually a desired action. It's a
perfect Denial Of Service mechanism.
A more common solution is to slow the responses after a few (perhaps three)
failed login attempts. You type in a bad username or password, and the
program at the other end of the process waits a progressively longer and
longer time to tell you that the login attempt was incorrect. This normally
has no effect on the response to a valid username/password.
Another solution often seen to zombies trying to login to an SSH server
is that the remote IP address can be blackholed - perhaps for a few minutes
or even hours.
Practical UNIX and Internet Security, Third Edition, Garfinkel, Spafford,
and Schwartz Feb 2003, $54.95, ISBN 0-596-00323-4, 984 pages, O'Reilly
That's one of 47 different books on computer security from O'Reilly (see
www.ora.com). If UNIX is a dirty word to you, there are even a dozen books
aimed at windoze. I'm sure there are dozens of other such books available
from other publishers as well - a google search is suggested.