Discussion

Users who walk away from their computers after logging into an application can provide an opportunity for an attacker to access the application or to execute a denial of service attack by changing the user's password. The risk and thus the lockout period depends on the ease of access to the user's computer. A computer in an open plan office presents a much greater risk than on in an office with an automatically locking door. In the first case the lockout should only be a few minutes where a longer timeout could be used in the second case. But even in the second case there may be a risk if the room is cleaned by a janitorial staff after everyone leaves for the day.

It is not advisable to rely on users remembering to logout or engage a locking screen saver when they step out because it is far too easy for users to get distracted and to forget to do so.

If all the users of an application are in the same type of physical environment a timeout may be best implemented within the application so as to not depend on the proper setup of the local computers. Some applications can be configured to have different timeouts for different users or different terminals. In other cases it may be necessary to use local lockouts (e.g., locking screen savers) because some users physical environments present a special risk. Even in this case, applications should have a default timeout to deal with the cases where the local computer is misconfigured.