Comments on: Automated Lockouts: Just Say No!

By: tom

tom — Mon, 25 Aug 2008 13:24:06 +0000

er – that should have been COMPLIANCE (not APPLIANCE)

By: tom

tom — Mon, 25 Aug 2008 13:22:55 +0000

But most managers implementing security policies have not the slightest interest in making their systems “secure” whatever that might mean in their environment.

Their main concern is to earn brownie points by reporting to their managers that they have achieved whatever level of appliance is deemed necessary.

– Security is not an add-on

By: yathrib

yathrib — Sun, 29 Jun 2008 10:52:06 +0000

Funny, we cover this very point in an introductory security class I teach. Most of the students in that class picked up that 3-strike lockouts just gave the attacker a trivial DoS capability.

Back-off timers seem to be a nice solution: a human interactively logging in will realize they’re making a mistake if after three tries it takes them a minute to get another prompt.

By: Steve Ruegnitz

Steve Ruegnitz — Fri, 20 Jun 2008 20:14:24 +0000

Andy

Sad but true that at this point it has gone beyond conventional wisdom to lock out after three attempts, it has joined the ranks of generic audit checklists. This will make well meaning, but not well skilled audit teams simply look for a binary answer of “yes we do lock out or no we don’t” with little to no understanding of the implications.

I fear this policy will be with us long after any utility to it (if there ever was any utility in the first place) is gone.

By: Kevin Riggins

Kevin Riggins — Fri, 20 Jun 2008 15:24:35 +0000

Andy,

Really enjoyed the post. Good stuff. As you and the other commenters have pointed out, password lockouts are another fine example of “It Depends.” Having the business folks chime in on issues like this is vitally important as you allude to with your example of stock traders not being able to work because of lockouts.

On a bit of a side note, what a great way to attack the brand of a company that relies on their people being able to access systems real-time.

Keep up the good work.

Kevin

By: Scott Pinzon

Scott Pinzon — Thu, 19 Jun 2008 18:34:26 +0000

I really enjoyed reading your post, Andy. It’s rare to find a solid, thought-provoking blog entry like yours. I must admit, though, you haven’t convinced me that lockouts are bad. You HAVE convinced me that locking out at 10 tries makes a lot more sense than locking out at 3 or 5 tries. This perception might be based on my current environment. Data here is very sensitive. Where at your trading job, lost time meant a large loss of money, in the department where I work, lost time has much less impact than compromised data does. Anyway, thanks for the stimulus; your thoughts have given my brain that fresh minty feeling!

By: securecyber

securecyber — Thu, 19 Jun 2008 17:56:23 +0000

I agree with both of you. I am investigating the Alert Logs on a daily basis and I see a lot of failed logins from applications and cron jobs only because someone did not make the files trusted again or mistyped the password.
Failed logins (especially in UNIX) forced the issue of a “serevu” command that revokes the user. It creates a lot of unnecessary headache for administrators. The suggestions in the article above must be taken seriously.

http://securecyber.blogspot.com (CISSP resources, cyber crime, etc)

By: Mike Ackerman

Mike Ackerman — Thu, 19 Jun 2008 01:25:03 +0000

All very good points and well articulated. I would add that one should be even more careful about enabling lockouts for “system accounts” or accounts that are used to run applications or services. It may seem at first that these are important accounts that you would want to make sure are not compromised, however, the possibility of a DOS attack on these accounts may have even greater implications than for user accounts. You would also want to avoid the more likely scenario of these accounts being locked out because a developer or system administrator mistakenly tried to access the account as part of testing with the wrong password. As suggested, monitoring is clearly a preferred approach.