How many rejected logins should there be before a user has to reset their password?

71 views Asked by At

I am creating a login for users and want to make sure the login is user friendly enough, but also will meet the security standards of the larger enterprise customers we are working with. Is there a guideline on the number of login attempts a user should have before they are locked out and have to reset their password?

2

There are 2 answers

0
Neil McGuigan On

Don't lock users out of web apps. Else blackhat will just hammer admin accounts after every lockout period. Then you can never log in.

See Block request for multiple unsuccessful logins for a period of time for a better idea.

But if you don't want to do that, PCI-DSS says <= 6

1
haxim On

There are a few different ways of handling this.

Depending on level of security of the application, a lock out can be effective. It can also be a Denial of Service if someone can attempt to log in to an account 3 times and then lock it out. It really depends on what your website is. If it's a bank it may want a better lockout policy than an online game.

There are two alternatives that usually lead to better results. One is an exponential backoff upon failed login. Every time someone fails to log in, you make the backoff longer, at an exponential rate. This is nice because it doesn't really effect user's who mistype their username/password, but it will stop an attacker trying brute-force their way in with millions of username/password combinations.

Another result is to implement a captcha after a number of failed logins. This also allows the user to still access their account if they can prove that they are a human.