How to prevent password lockout?

Networking/Security Forums -> Physical Security and Social Engineering

Author: ScoLocation: UK PostPosted: Fri Aug 05, 2005 4:26 pm    Post subject: How to prevent password lockout?
    ----
On sites where if you enter your password incorrectly, it says how you have had 1 out of 5 attempts. Is there a way to stop a random person locking someones account by just deliberately entering incorrect passwords?

thanks
Sco

Author: roundtripLocation: Scotland PostPosted: Fri Aug 05, 2005 4:33 pm    Post subject:
    ----
Depends what your set-up is but here is a practice that could work:

1. You could lockout the account for a short duration once the wrong password theshold has been reached.

2. Send an information email to the account holder that there account has been locked out. You could go even further and send one on every unsuccessful password attempt. I'd go with the only when it is locked out approach.

3. After a pre-determined time, say 10 minutes, the account is automatically unlocked.

4. If this occurs say twice in any one day, you could block the IP to hopefully put another obstacle in the way of an attack.

Obviously, you need to be the admin or developer of the site as this will require some coding and/or setting up.

Author: onoskiLocation: London UK PostPosted: Wed Nov 30, 2005 10:53 pm    Post subject:
    ----
Just to add to what has already been said, if the user tries over the set logins then the account automatically locks out. I still think this is the basic and suitable way as every other trys would still result in the account being locked and unlocked after say maybe half an hour. An audit can also be setup to take note if this occurs on one computer specifically or ramdon different computers.

I have dealt with users that augue blindly that they put in the right password but computer still locks them out. I just simply say to them it's the computers way of finding out if the right person with the right credentials is trying to logon same as your ATM machine points after three or so unsuccessful attemps the card is taken. Similar kind of idea with login onto computers locally and on in a network domain.

Author: psuedo PostPosted: Thu Mar 30, 2006 3:36 am    Post subject: Re: How to prevent password lockout?
    ----
Sco wrote:
On sites where if you enter your password incorrectly, it says how you have had 1 out of 5 attempts. Is there a way to stop a random person locking someones account by just deliberately entering incorrect passwords?

thanks
Sco


I think stopping random people from trying to get in to someones account is the whole point of an account lockout policy.
Why would you want to stop it happening??

Author: soulstace PostPosted: Thu Mar 30, 2006 12:54 pm    Post subject: Re: How to prevent password lockout?
    ----
psuedo wrote:

I think stopping random people from trying to get in to someones account is the whole point of an account lockout policy.
Why would you want to stop it happening??


He is concerned about someone intentionally locking out people's accounts. Like for example, if I were to keep trying to log in with user:psuedo pass:password, five times in a row on this website. Then when you come here to post it says your account is locked out..

Author: Mongrel PostPosted: Sat Dec 15, 2007 10:58 pm    Post subject:
    ----
If I read the question correctly, there seems to be some sort of battle
going on. Someone os PO'ed at another and gets the first person locked
out from spite.

Most of what is said here is correct - most sites time-out for a
predetermined period; but not all. Some require a request - no ifs ands or
buts. In that case there might be a couple ideas.

1) Find a way to make peace with the person locking you out. (You most
likely know them and have had run-ins with them in the past.)

2) Take out a new username.

3) Inform the administration - they *may* be kind enough or not too busy
to help you by watching sources of attempted logins or the likes. Not sure
what they could do though as I am sure they wouldn't tick the "Do not lock
out" check box next to your name. Smile

Whatever; this seems like a petty war that could easily escalate and that's
the last thing I would want.

Peace out.

Author: The_Real_GandalfLocation: Athens,Greece PostPosted: Tue Dec 18, 2007 9:46 am    Post subject:
    ----
2 words:

PHYSICAL SECURITY.

the term is not only about allowing a person (or not) to have access on Keyboard... it is also about monitoring the whole area or provide policies/methods to survey and monitor the room where the computer exists.

There are variable methods , depending on the Sec policies that your company enforces.

One---Smart card + token. With the use of a smart card and a proper keyboard with slot (commercialy available), first of all you ensure that only the proper person can engage actions on this comp and second you can be very sure that even the correct person will not have a password reminding problem

two--- biometrics. There are available cameras with face scan engine which can id the person who is authorized to access the machine and activate (or deactivate in case of unauthorized access) all associated actions on it.

three--- if the area is considered of high security level , then you will be forced to use CCTV , as to monitor what is going on in the rooms (banks usually have such circuits) and at the same time , locate the malicious person by matching audit logs (failure event - login) , time of occurance and videos from CCTV.

There are also more advanced methods , but then you will go up in cost , so i do not reccomend them.

Keep in mind that such actions as described are considered "sabotage" to the company functions and could even lead to the dismissal of the malicious person.

Gandalf

Author: Baldeagle79 PostPosted: Sun Mar 16, 2008 4:44 pm    Post subject: Authentication
    ----
Employ a 2 factor authentication scheme where first.last isn't the standard login, if at all possible. On your audit trails, shouldn't you be able to determine the computer name, or the MAC address of the system that is performing the lockouts? If so, pinning that system to the perpetrator shouldn't be too difficult...unless he/she's running around the office to various machines to do his/her nasty deed! I like the previous post, smartcard + token isn't a bad way to go.



Networking/Security Forums -> Physical Security and Social Engineering


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group