Sunday, May 03, 2009

Locking Out Users? Good Security or DoS Enabler?

The idea of locking out users after a specified number of failed login attempts isn't new. It's been touted for a long time as a way to prevent unauthorized access to computer systems, such as by brute-force guessing of weak passwords.

And, in its recently released Special Publication 800-118, the National Institute of Standards and Technology (NIST) calls for just that approach, among others. It's also something I advocated on page 54 of my book, The Little Black Book of Computer Security, Second Edition.

But, in his recent weekly column in Network World, Mich Kabay, commenting on the new NIST password standard, says a better approach is outlined on page 3-5 of the standard. He also questioned my recommendaiton of lock outs in a column last year.

"Have a fixed or exponentially increasing delay after each failed authentication attempt. After the first failure, for example, there could be a five-second delay; after the second failure, a 10-second delay; after the third failure, a 20-second delay, and so on."

Kabay also commented on other password wisdom from the NIST draft document in another recent column.


Post a Comment

<< Home