I am currently working on an application with regard to applying a security poli

Question

I am currently working on an application with regard to applying a security policy to the application. We are locking the account after X failed login attempts in Y minute. The account will be locked for Z minutes. I want to know whether the account should be locked if there are successive failed login attempts or that the account should be locked if there are failed attempts within the past Y minutes.

Example: failed login attempts = 3 within 10 mins

If the user enters the wrong username/password 2 times. Then logs in successfully the 3rd time. He then logs out and attempts a failed login.(All the attempts are within the 10 minutes.)

Should the account be locked or not?

Explanation / Answer

There is no right or wrong answer. The more aggressive lockout policy is slightly more secure, and slightly less convenient for your users. You have to assess if it is worth doing based on your application's requirements, your knowledge of your user base, the value of the asset you are protecting, your threat model, etc. etc.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.