Skip to content

Password Lockout Disabled

What does this mean ?

Account lockout is a security feature that is commonly seen in applications as a defense against brute force attacks on the system's password-based authentication process. The user's account may be blocked for a length of time or until it is unlocked by an administrator after a specified number of failed login attempts. Account lockout may also be triggered by other security situations. An attacker, on the other hand, may take use of this security feature to restrict service to legitimate system users. As a result, it's critical to make sure the account lockout security technique isn't unduly restrictive.

What can happen ?

A password-guessing attacks known as a brute force attack is a typical issue that web developers confront. A brute-force attack is a method of attempting to crack a password by trying every conceivable combination of letters, numbers, and symbols until you find the one that works.

Recommendation

Implement smarter password throttling systems, such as ones that consider the IP address as well as the login name. Implement a lockout timeout that increases with the amount of failed login attempts, finally leading to a total lockout. Consider alternatives to account lockout that are nonetheless effective against password brute force assaults, such as displaying a puzzle to solve on the user's workstation.

Sample Code

Vulnerable :

private void AuthenticateRequest(object obj, EventArgs ea)
{
  HttpApplication objApp = (HttpApplication) obj;
  HttpContext objContext = (HttpContext) objApp.Context;  
  // If user identity is not blank, pause for a random amount of time
  if ( objApp.User.Identity.Name != "")
    {
      Random rand = new Random();        
      Thread.Sleep(rand.Next(minSeconds, maxSeconds) * 1000);
    }      
}

References