Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

27
  • 53
    Solid advice. Although I still call this locking accounts, it's just with a short timeout Commented Jan 16, 2019 at 16:24
  • 5
    I agree with this for lock-and-forget implementations, but short-duration locks (automatically unlock again after a few minutes) can be useful for rate-limiting brute force attacks. Commented Jan 16, 2019 at 16:46
  • 12
    But should you have a display that informs the user of how long the login delay will be for the next attempt? Commented Jan 16, 2019 at 21:54
  • 5
    @MichaelEricOberlin: Anecdotally, we had a case of one user with a constantly locked account. After many hours spent investigating, it turned out to be a coworker/nemesis of the user who kept doing it to spite the user. It wasn't on a company wide scale but it also doesn't quite require expert skills to lock out someone you want to. Commented Jan 17, 2019 at 13:46
  • 14
    For an online system, doubling the lock-out time doesn't really help all that much. Being locked out with your whole IT department for a couple of days is anooying enough, but it's also not that hard to do repeat your attack at increasing intervals, still keeping your team locked out more or less indefinitely. Commented Jan 17, 2019 at 15:05