2

AFAIK the recommended practice to mitigate brute force attacks is to lock an account down for, say, 15 min (perhaps escalating lockout time if the attack continues afterwards?) after, say, 5 failed login attempts.

I understand the reasoning (brute force mitigation) but there's still one thing that worries me. Namely, doesn't this make the site vulnerable to malicious account lockouts?

Less severe version: A petty troll doesn't like user X so they enter a trivially wrong password for account X 5 times in a row. Repeat after 15min.

More severe version: Full blown DOS attack, automated "brute force" attack against the webstite's recently active users solely for the purpose of triggering the lockout mechanism. Let's say the website has around 1000 logins per day; attack against users who logged in in the last week = at most 7000 accounts, far fewer actually, let's say only 3500; 5 login attempts = 17500 login attempts, I don't know but this seems definitely feasible, doesn't it? And that's already a quite popular site: for websites most vulnerable to such attacks (Internet forums?) these numbers may even be two orders of magnitude lesser!

I don't understand this practice. Doesn't it mitigate brute force password cracking attacks at the cost of opening up glaring vulnerabilities to DOS attacks?

gaazkam
  • 5,657
  • 11
  • 24
  • 38
  • Duplicates: https://security.stackexchange.com/questions/1653/protection-against-account-lockout-dos and https://security.stackexchange.com/questions/487/why-do-sites-implement-locking-after-three-failed-password-attempts – schroeder Nov 16 '18 at 20:37

2 Answers2

1

Yes, you are right, always there is need to based on the risk management of the situation and to understand what your risks and what is the main issue that you want to solve better that the other issues.

A good practice is to combine, for example you can deploy a login delay that will will not really hurt your user experience but will make hard life for the the bad guys. Let's say, make a random delay like 2 sec - to 10 and don't lock your user for more that 2 min.

And better use captcha even without blocking users at all (or only block after a big amount of failed logins based on IP address and not based on user name)..

A nice reference to read (not exactly what you are asking but interesting to get some insights): https://crackstation.net/hashing-security.htm

Yossi
  • 11
  • 2
  • That link has no relevance to the question at all. The link is about off-line hash brute force. The question is about online account brute force. – schroeder Nov 16 '18 at 22:35
  • As I mentioned its good to know as related information, its not the answer – Yossi Nov 17 '18 at 18:00
1

You are absolutely right, by locking out accounts a DOS vulnerability is created. If attackers can scrape usernames of the website, they can easily lock out many users. This type of defense against brute force attacks is not recommended, this contains proper defense against brute force attacks.

CoderPE
  • 126
  • 1
  • 9