It depends on your lockout mechanism. If invalid logins get reset after some time AND a locked account does not get unlocked, showing a counter can help an attacker not to lock out an account. But a skilled attacker will have determined the lockout policy up front and will take this into account when guessing the password. So the impact is limited.

Also, relying on this to protect your login mechanism is missing the point. You should have a decent password policy and a lockout policy to match. If the password policy is strong, an attacker will have to guess 1000s of times before getting it right. If you lock an account after 20 attempts, you have little chance of getting compromised.

You must ask yourself: what is the benefit of showing this information to a genuine user? Often, this problems with lockout occurs because the number of tries is set too low. 3 or 5 are common choices. NIST (Currently unavailable due to government shutdown so no direct reference yet) suggests less than 100 attempts.

NIST has a point: think of a password which no attacker will guess in 3 attempts, but which they will guess in 100 attempts. All attackers use different dictionaries and approaches. If a password is unsafe to withstand 100 guesses it can also be breached using fewer attempts - although that is less likely. Therefore a good password policy is a must.

I will add the NIST references when the site comes back up. Troy hunt has some good blog posts which summarize password and login mechanisms. He is a fan of the NIST guidelines as well.

It depends on your lockout mechanism. If invalid logins get reset after some time AND a locked account does not get unlocked, showing a counter can help an attacker not to lock out an account. But a skilled attacker will have determined the lockout policy up front and will take this into account when guessing the password. So the impact is limited.

Also, relying on this to protect your login mechanism is missing the point. You should have a decent password policy and a lockout policy to match. If the password policy is strong, an attacker will have to guess a large number of times before getting it right. If you lock an account after 20 attempts, you have little chance of getting compromised.

You must ask yourself: what is the benefit of showing this information to a genuine user? Often, this problems with lockout occurs because the number of tries is set too low. 3 or 5 are common choices. NIST (Currently unavailable due to government shutdown so no direct reference yet) suggests less than 100 attempts.

NIST has a point: think of a password which no attacker will guess in 3 attempts, but which they will guess in 100 attempts. All attackers use different dictionaries and approaches. If a password is unsafe to withstand 100 guesses it can also be breached using fewer attempts - although that is less likely. Therefore a good password policy is a must.

I will add the NIST references when the site comes back up. Troy hunt has some good blog posts which summarize password and login mechanisms. He is a fan of the NIST guidelines as well.

Depends on your lockout mechanism. If invalid logins get reset after some time AND a locked account does not get unlocked. It can help an attacker to not lockout an account when showing a counter. But, a skilled attacker will have determined the lockout policy up front and will take this into account when guessing password. So the impact is limited.

Also, relying on this to protect your login mechanism is missing the point. You should have a decent password policy and a lockout policy to match. If the password policy is strong, an attacker will have to guess 1000s of times before getting it right. If you lock an account after 20 attempts, you have little chance getting compromised.

You must ask yourself, what is the benefit of showing this information to a genuine user? Often, this problems with lockout occur because the amount of tries is set too low. 3 or 5 are common choices. NIST (Currently unavailable due to government shutdown so no direct reference yet) suggests less than 100 attempts.

NIST has a point, think of a password which no attacker will guess in 3 attempts which it will guess in 100 attempts. All attackers use different dictionaries and approaches. If a password is unsafe to withstand 100 guesses it can also be breached using less attempts. Although that is less likely. Therefor, a good password policy is a must.

I will add the NIST references when the site comes back up. Troy hunt has some good blog posts which summarize password and login mechanisms. He is a fan of the NIST guidelines as well.

It depends on your lockout mechanism. If invalid logins get reset after some time AND a locked account does not get unlocked, showing a counter can help an attacker not to lock out an account. But a skilled attacker will have determined the lockout policy up front and will take this into account when guessing the password. So the impact is limited.

Also, relying on this to protect your login mechanism is missing the point. You should have a decent password policy and a lockout policy to match. If the password policy is strong, an attacker will have to guess 1000s of times before getting it right. If you lock an account after 20 attempts, you have little chance of getting compromised.

You must ask yourself: what is the benefit of showing this information to a genuine user? Often, this problems with lockout occurs because the number of tries is set too low. 3 or 5 are common choices. NIST (Currently unavailable due to government shutdown so no direct reference yet) suggests less than 100 attempts.

NIST has a point: think of a password which no attacker will guess in 3 attempts, but which they will guess in 100 attempts. All attackers use different dictionaries and approaches. If a password is unsafe to withstand 100 guesses it can also be breached using fewer attempts - although that is less likely. Therefore a good password policy is a must.

I will add the NIST references when the site comes back up. Troy hunt has some good blog posts which summarize password and login mechanisms. He is a fan of the NIST guidelines as well.