Back to Security Pattern Catalog
: Perimeter Security, Spoofing
Passwords are vulnerable to password guessing attacks.
How can the systems login mechanism be protected from password guessing attacks?
Limit the number of incorrect password entry attempts. The server keeps an account of the consecutive failed password attempts. When a user successfully logs in this count is cleared.
Once a pre-defined threshold value of consecutive failures is reached, the account is locked. The system should function normally and deny every request from that on so that the attacker does not know whether the system is locked or he is not guessing the right password. The account is only unlocked after the correct user makes an explicit request for unlocking the account.
Online banking system login window, traditional password and PIN systems.
Hidden Implementation, Encrypted Storage, Network Address Blacklist
Kienzle et. al. Repository
Authentication, User Interface
Last modified: May 05, 2012
and Maintained by: Munawar Hafiz