0

I am creating a login for users and want to make sure the login is user friendly enough, but also will meet the security standards of the larger enterprise customers we are working with. Is there a guideline on the number of login attempts a user should have before they are locked out and have to reset their password?

Jim Larrison
  • 1
  • 3
  • Think like an attacker. If you are locking people out and forcing them to change their password, what does that allow an attacker to do? Security includes both breaking in and denying (or annoying) access to others. – TheGreatContini Jun 23 '15 at 21:49
  • possible duplicate of [The definitive guide to form-based website authentication](http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication) – Vilmantas Baranauskas Jun 24 '15 at 07:51

2 Answers2

2

There are a few different ways of handling this.

Depending on level of security of the application, a lock out can be effective. It can also be a Denial of Service if someone can attempt to log in to an account 3 times and then lock it out. It really depends on what your website is. If it's a bank it may want a better lockout policy than an online game.

There are two alternatives that usually lead to better results. One is an exponential backoff upon failed login. Every time someone fails to log in, you make the backoff longer, at an exponential rate. This is nice because it doesn't really effect user's who mistype their username/password, but it will stop an attacker trying brute-force their way in with millions of username/password combinations.

Another result is to implement a captcha after a number of failed logins. This also allows the user to still access their account if they can prove that they are a human.

haxim
  • 196
  • 5
  • There's actually a number of solutions to this. For example, look at [this](http://spectrum.library.concordia.ca/976807/1/mannan2012.pdf) and [this](https://www.covata.com/blog/defending-password-attacks-without-captchas/) (assumes you have user's email address), and any number of hybrids of those ideas. – TheGreatContini Jun 24 '15 at 21:47
0

Don't lock users out of web apps. Else blackhat will just hammer admin accounts after every lockout period. Then you can never log in.

See Block request for multiple unsuccessful logins for a period of time for a better idea.

But if you don't want to do that, PCI-DSS says <= 6

Community
  • 1
  • 1
Neil McGuigan
  • 41,314
  • 10
  • 106
  • 137