Limiting password attempts considered harmful

Whoever thought it was a good idea to lock passwords after a number of incorrect attempts? Aside from being incredibly annoying, it strikes me that this is a very simple vector for a denial of service attack. I’ve been working with a bunch of machines that are linked back to a single-sign-on system, and the central authentication server is set to automatically lock the user’s account after three incorrect attempts at the password. I’ve now had to have it unlocked often twice or three times daily, because it’s very easy to get my password wrong when sudoing to root as regularly as I have to do.

While users are regularly urged to keep their passwords secret, the same can’t be said of their usernames. In fact, in the Unix world, all usernames are clearly available to other users, in the /etc/passwd file as a matter of necessity. Furthermore, I’ve seen plenty of organisations who publish staff usernames in their internal online directories.

What does this mean? Well, it makes it very easy for a disgruntled member of staff to create a denial of service attack by locking huge numbers of users out of their accounts, just by attempting to connect to the systems with a dummy password. I’d be interested to know if Australian law even considered it an offence to do something like this, given that no unauthorised access would be gained. Want to really annoy someone? Grab their mobile phone, type in their PIN wrongly several times, and watch them have to call up their provider to have it unlocked.

Obviously I know why such account locking is done – it’s to prevent brute force attacks on passwords. However, it seems to me that a better solution would be to use a series of backoff timeouts, so that users aren’t permanently locked out, but brute force attacks are rendered less effective, due to the amount of time they’d likely take to be successful.

I noticed that my internet banking account was locked, a few years ago, when I accidentally used the wrong password several times. I wonder how far off we are from someone getting a list of user IDs to such a system, and then locking out all their customers in one hit?

Leave a Reply

Your email address will not be published. Required fields are marked *

Anti-Spam Quiz: