Reply to post: Account lockouts = stupid

It's World (Terrible) Password (Advice) Day!

Joe Montana

Account lockouts = stupid

Account lockouts do very little to stop brute force, an attacker isn't going to try thousands of passwords against a single account - they're going to try "Password1" against thousands of accounts as this has a far greater chance of success, and systems which lock based on account will do nothing to stop this attack despite the fact that thousands of attempts to login to different accounts is clearly a malicious activity that should be detected.

Not only that, but locking accounts makes it very easy for someone malicious to intentionally lock accounts, causing severe inconvenience and disruption.

You need to develop a sensible strategy like exponential backoff and detecting anomalous behaviour like the above, not just blindly lock accounts.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019