Back to Security Pattern Catalog




Account Lockout


Classification Key : Perimeter Security, Spoofing

Problem

Passwords are vulnerable to password guessing attacks. How can the systems login mechanism be protected from password guessing attacks?

Solution

Limit the number of incorrect password entry attempts. The server keeps an account of the consecutive failed password attempts. When a user successfully logs in this count is cleared. Once a pre-defined threshold value of consecutive failures is reached, the account is locked. The system should function normally and deny every request from that on so that the attacker does not know whether the system is locked or he is not guessing the right password. The account is only unlocked after the correct user makes an explicit request for unlocking the account.

Known Uses

Online banking system login window, traditional password and PIN systems.

Related Patterns

Hidden Implementation, Encrypted Storage, Network Address Blacklist

Source

Kienzle et. al. Repository

Tags

Authentication, User Interface


 

Last modified: May 05, 2012

Conceived and Maintained by: Munawar Hafiz