subpage_img01 subpage_img02 subpage_img03 filler
Images for the Office of the Provost - Harvard University
Home > Enterprise Security Policy > 2. Confidential Information > 2.5 Inhibit Password Guessing

2.5 Inhibit Password Guessing

Policy

There must be a mechanism to limit to the number of repeated unsuccessful attempts to log into an application or server that deals with confidential information.

Discussion

Automated password guessing is a common way that attackers attempt to gain access to computers. In some places as many as 400,000 guessing attempts have been recorded against a single account on a single day. The easiest way to thwart password guessing attacks is to limit the number of unsuccessful attempts to log into an application before an account is locked. Locking the account means that the attacker has to wait until the account is re-enabled before they can continue the attack. A lock out set to 10 failed attempts and a lockout period of 30 min reduces the possible guesses per day to 480. At that rate an automated guessing attack could take years to guess a password if the password is one that meets standard complexity requirements.

Too small a value on the lockout can discourage people from using a complex passwords that may be hard to type or from using different passwords for different applications since they might try the wrong password for the application a few times and get locked out. A value of about 10 seems to be a reasonable trade-off between inhibiting guessing attacks and not making things too hard for the user.

In all cases the fact that a user has been locked out should be recorded and that information be provided to the system or application manager. The manager can then talk with the user to determine if there has been an attack.

Accounts can be automatically re-enabled some period after the lockout or the system can be setup to require a manager's intervention. The latter can be quite frustrating if the lockout happens during non-work hours. As long as the lockout gets logged having the account re-enabled automatically after a period of 30 to 60 min makes no significant difference to the security of the system.

Automatic lockouts do have one potentially major disadvantage -- they enable an easy denial of service (DoS) attack. Someone who wants to disrupt a user can just attempt a bunch of purposely bad passwords to get the user's account locked. In balance the added protection of lockouts is generally more important than the risk of a DoS attack. Logging the IP address that login attempts come from can help in tracking down attackers.

An alternative for actual lockout is to progressively slow down the login process with each failed attempt.

Supported by WDS