• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

How to prevent password lockout?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering

View previous topic :: View next topic  
Author Message
Sco
Just Arrived
Just Arrived


Joined: 12 Feb 2004
Posts: 0
Location: UK

Offline

PostPosted: Fri Aug 05, 2005 4:26 pm    Post subject: How to prevent password lockout? Reply with quote

On sites where if you enter your password incorrectly, it says how you have had 1 out of 5 attempts. Is there a way to stop a random person locking someones account by just deliberately entering incorrect passwords?

thanks
Sco
Back to top
View user's profile Send private message Visit poster's website
roundtrip
Just Arrived
Just Arrived


Joined: 04 Aug 2005
Posts: 0
Location: Scotland

Offline

PostPosted: Fri Aug 05, 2005 4:33 pm    Post subject: Reply with quote

Depends what your set-up is but here is a practice that could work:

1. You could lockout the account for a short duration once the wrong password theshold has been reached.

2. Send an information email to the account holder that there account has been locked out. You could go even further and send one on every unsuccessful password attempt. I'd go with the only when it is locked out approach.

3. After a pre-determined time, say 10 minutes, the account is automatically unlocked.

4. If this occurs say twice in any one day, you could block the IP to hopefully put another obstacle in the way of an attack.

Obviously, you need to be the admin or developer of the site as this will require some coding and/or setting up.
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
onoski
Just Arrived
Just Arrived


Joined: 30 Nov 2005
Posts: 2
Location: London UK

Offline

PostPosted: Wed Nov 30, 2005 10:53 pm    Post subject: Reply with quote

Just to add to what has already been said, if the user tries over the set logins then the account automatically locks out. I still think this is the basic and suitable way as every other trys would still result in the account being locked and unlocked after say maybe half an hour. An audit can also be setup to take note if this occurs on one computer specifically or ramdon different computers.

I have dealt with users that augue blindly that they put in the right password but computer still locks them out. I just simply say to them it's the computers way of finding out if the right person with the right credentials is trying to logon same as your ATM machine points after three or so unsuccessful attemps the card is taken. Similar kind of idea with login onto computers locally and on in a network domain.
Back to top
View user's profile Send private message
psuedo
Just Arrived
Just Arrived


Joined: 29 Mar 2006
Posts: 0


Offline

PostPosted: Thu Mar 30, 2006 3:36 am    Post subject: Re: How to prevent password lockout? Reply with quote

Sco wrote:
On sites where if you enter your password incorrectly, it says how you have had 1 out of 5 attempts. Is there a way to stop a random person locking someones account by just deliberately entering incorrect passwords?

thanks
Sco


I think stopping random people from trying to get in to someones account is the whole point of an account lockout policy.
Why would you want to stop it happening??
Back to top
View user's profile Send private message
soulstace
Just Arrived
Just Arrived


Joined: 20 Feb 2006
Posts: 0


Offline

PostPosted: Thu Mar 30, 2006 12:54 pm    Post subject: Re: How to prevent password lockout? Reply with quote

psuedo wrote:

I think stopping random people from trying to get in to someones account is the whole point of an account lockout policy.
Why would you want to stop it happening??


He is concerned about someone intentionally locking out people's accounts. Like for example, if I were to keep trying to log in with user:psuedo pass:password, five times in a row on this website. Then when you come here to post it says your account is locked out..
Back to top
View user's profile Send private message
Mongrel
SF Mod
SF Mod


Joined: 30 May 2002
Posts: 8


Offline

PostPosted: Sat Dec 15, 2007 10:58 pm    Post subject: Reply with quote

If I read the question correctly, there seems to be some sort of battle
going on. Someone os PO'ed at another and gets the first person locked
out from spite.

Most of what is said here is correct - most sites time-out for a
predetermined period; but not all. Some require a request - no ifs ands or
buts. In that case there might be a couple ideas.

1) Find a way to make peace with the person locking you out. (You most
likely know them and have had run-ins with them in the past.)

2) Take out a new username.

3) Inform the administration - they *may* be kind enough or not too busy
to help you by watching sources of attempted logins or the likes. Not sure
what they could do though as I am sure they wouldn't tick the "Do not lock
out" check box next to your name. Smile

Whatever; this seems like a petty war that could easily escalate and that's
the last thing I would want.

Peace out.
Back to top
View user's profile Send private message
The_Real_Gandalf
Trusted SF Member
Trusted SF Member


Joined: 14 Apr 2004
Posts: 0
Location: Athens,Greece

Offline

PostPosted: Tue Dec 18, 2007 9:46 am    Post subject: Reply with quote

2 words:

PHYSICAL SECURITY.

the term is not only about allowing a person (or not) to have access on Keyboard... it is also about monitoring the whole area or provide policies/methods to survey and monitor the room where the computer exists.

There are variable methods , depending on the Sec policies that your company enforces.

One---Smart card + token. With the use of a smart card and a proper keyboard with slot (commercialy available), first of all you ensure that only the proper person can engage actions on this comp and second you can be very sure that even the correct person will not have a password reminding problem

two--- biometrics. There are available cameras with face scan engine which can id the person who is authorized to access the machine and activate (or deactivate in case of unauthorized access) all associated actions on it.

three--- if the area is considered of high security level , then you will be forced to use CCTV , as to monitor what is going on in the rooms (banks usually have such circuits) and at the same time , locate the malicious person by matching audit logs (failure event - login) , time of occurance and videos from CCTV.

There are also more advanced methods , but then you will go up in cost , so i do not reccomend them.

Keep in mind that such actions as described are considered "sabotage" to the company functions and could even lead to the dismissal of the malicious person.

Gandalf
Back to top
View user's profile Send private message Visit poster's website AIM Address
Baldeagle79
Just Arrived
Just Arrived


Joined: 16 Mar 2008
Posts: 0


Offline

PostPosted: Sun Mar 16, 2008 4:44 pm    Post subject: Authentication Reply with quote

Employ a 2 factor authentication scheme where first.last isn't the standard login, if at all possible. On your audit trails, shouldn't you be able to determine the computer name, or the MAC address of the system that is performing the lockouts? If so, pinning that system to the perpetrator shouldn't be too difficult...unless he/she's running around the office to various machines to do his/her nasty deed! I like the previous post, smartcard + token isn't a bad way to go.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register