Thursday, November 01, 2007

Managing Account Lockout

User Accounts are vulnerable to dictionary attacks or brute force attacks. These attacks are ones where user credentials are deduced through successive attempts. Using tools or scripts enable the attacker to automate the process and establish a positive match more quickly and efficiently.

The "Good Practices" would be:
  1. Design usernames which are not predictable or guessable.
  2. Strong password policy.
  3. Disable user account after n failed login attempts which are successive.
  4. You could also consider locking out account for a specified amount of time. For e.g. 30 mins.
  5. Display generic error messages to user on failed login attempt. E.g. "Authentication Failed - Invalid Username / Invalid Password / Account Locked
  6. No automatic account lockouts for admin accounts
  7. Implement CAPTCHA's to prevent bots or automated username/password guessing.


  1. Hi,

    Do you recommend using CAPTCHA's most of places to prevent lockouts?

  2. Can you black list the IP addresses from where the attacks originate?

  3. Hello Dharmesh,

    CAPTCHA's are also of different forms. We need to take care about the physically challenged people also.

  4. @anonymous:

    Yes, CAPTCHA's are suitable in some scenarios to prevent successive permutation of user is or password by automated tools or scripts.

  5. @britt:

    It may be a scenario where user is accessing using a common corporate gateway and in that case the gateway IP is logged and if this is blacklisted, all other possible genuine users using that gateway will also be blocked. Also a point to note is IP addresses can easily be spoofed . So an attacker might still attempt brute force by spoofing IP addresses.

  6. @tejinder:

    Yes, CAPTCHA are of many forms. A very nice article can be found at

  7. I feel that two factor authentication is the best mechanism.

  8. @Raju,

    I agree. I just missed that. Two factor authentication is probably best mechanism to avoid these kinda issues. Thanks for adding this.

  9. additionally, CAPTCHA should be refreshed when submitted user name password is incorrect & T-FA should be used like asking for security answer if first login attempt is failed