Why are password lockout thresholds so low?
Posted by domino_stars@reddit | programming | View on Reddit | 10 comments
At work, a lead engineer made this point:
-
The point of a password lockout is to prevent password guessing by an attacker.
-
Every time a password lockout forces the legitimate user to perform a password reset, the password lockout has failed (remember, its goal was to stop bad guys, never good guys). The system has just performed a DoS on itself. This can be easily used by attackers to intentionally DoS your system by randomly guessing passwords, and so a too-low lockout is a security vulnerability, not a strength. Also, password resets are themselves a security hole in any system. The more common they are, the easier it is to exploit the reset process itself.
-
The correct way to pick the number of tries before lockout is pick a number that is above the number of times a legitimate user will guess before performing a password reset, but below the number of guesses an attacker needs to guess before having a statistically significant chance of actually guessing the correct password.
There are lots of ways to work out that number. It depends on how complicated your passwords are required to be, and how random they actually are. But let's take a simple case with very conservative numbers:
- 7 letters, lower-case only, no numbers, no symbols
- Total space = 26^7 ~ 8 billion
- Expected guesses in order to have a 1 in a million chance ~ 8000
No legitimate user is going to come anywhere near 8000 tries before giving up, so even with all the safety margins above (a very small password universe and a 1:1M chance of guessing), the limiting factor is the user, not the safety margin.
My usual recommendation is around 25-100 for this setting (assuming some minimum "strong password" requirements). Anything below 10 definitely hurts security more than it helps.
If you set it over 50 or so, then a password lockout should be highly suspicious, and should notify admins to investigate. This many attempts means someone is trying to brute force your passwords, or there is a program that is repeatedly trying to login and needs to be fixed. You only get this benefit if you set the threshold high enough that there are very few false positives.
deleted_by_reddit@reddit
I'm guessing they are set so low because a lot of password fraud is committed by people who already have an idea of what it might actually be (family, friends, coworkers, criminal who caught sight of the victim typing, etc.). So if you allow more than 5 or 10 or so chances, you are giving those types of people a significantly greater shot at cracking the code.
Then again, I have no idea what I'm talking about so I could be completely wrong.
domino_stars@reddit (OP)
I wonder how often this is the case, or if it's just the perceived case that convinces admins to set it so low- when they don't need to.
The complexity required by almost every system nowadays makes it so no one could reasonably guess the password. Even if you knew my password had "password" in it, good luck guessing it was "passworD123".
seagramsextradrygin@reddit
My bank requires capital letters, numbers, and special characters, and has a lockout of ~4 tries. It's extremely frustrating because every lockout makes you change your password, and it doesn't let you use the same password twice (ever). So I never have any idea what my password is because I always have to change it to some different absurdly complicated combo of letters, numbers and characters every few weeks.
federomero@reddit
Many end up writing their password in a file, saving it online somewhere or even putting it down on a piece of paper next to their computer because of these complicated rules, making them a lot more vulnerable to attacks
dunmalg@reddit
If you use a simple obfuscation, written passwords aren't that bad. I write them down on two lines in a sort of vertical zig-zag pattern. That is, the password "elephant" will look like:
easy to read if you know the trick, looks like nonsense if you don't
deleted_by_reddit@reddit
ENCRYPTING MY STICKY NOTES, BRB
gigrut@reddit
Hello, I am replying to this 15 year old comment on this deleted account to tell people that technically this isn’t “encrypting” information (making a message secure via cryptography), but rather this is an example of steganography, or obscuring/hiding information. So, “steganizing” the sticky notes.
Yes, I’m great at parties.
InAFewWords@reddit
karlthepagan@reddit
princess_hjonk@reddit
13 years later… (SpongeBob card voice)