226 – Avoid account lockouts

Summary

The system must never block a user account after one or several failed authentication attempts.

Description

Account blocking is a double-edged sword if an attacker is trying to guess an account password and if it is blocked on the third attempt, the account is useless, even for the original owner. Extrapolating this case to an attack on all users, a high impact on availability would be generated if the accounts are blocked. The recommendation is to set different controls, for example, a captcha on the third attempt, and if the system does not support captcha, resort to incremental delays before each authentication attempt. This mitigates the risk of brute force attacks (which is what the block is intended to do) and does not generate unavailability.

Supported In

Advanced: True

References

• CAPEC-2. Inducing account lockout
• CAPEC-212. Functionality misuse
• CWE-645. Overly restrictive account lockout mechanism
• MITRE-M1036. Account use policies
• CMMC-AC_L2-3_1_8. Unsuccessful logon attempts
• OWASPMASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices

Weaknesses

• 087 – Account lockout

Last updated

2024/01/18