What I am trying to avoid here is brute force attacks on a user's password. And I am thinking about doing that by invalidating his password when too many attempts are made in the same minute, hour, day or something similar. The user credentials are for company employees on the road in an Android app.
But, at the same time, I do not want the user to make a few mistakes while inserting it and have it invalidated without any need.
How much is enough? Or, in alternative, how do I determine how much is enough?
Asking in another way, what is the maximum of mistakes a human can possibly do while inserting his password before contacting helpdesk?
Edit: The authentication mechanism is done through the network. The app gets updated information from a company server after the right user logs in.
Answer
This question has been asked multiple times throughout the StackExchange network over the years. Here's a summary of answers:
- There's no clear research on the subject.
- If you're in the financial industry and have to be PCI compliant, the limit is 6 attempts.
- A brute force attack can be recognized using an algorithm. Follow this guide to create an algorithm detecting automated password attempts.
- Account lock-outs and password attempts limits are put in place to prevent human attackers guessing passwords based on their knowledge of the victim.
Recommendations
- Microsoft recommends at least 4 attempts and no more than 10.
- Don't count duplicate password attempts (they probably thought they mistyped it)
- Make the password hint about the primary password, and don't have a (weak) secondary
- Allow a trusted party to vouch for the user, so he can change his password.
- Lock the account in increasing time increments
- Remind the user of password rules.
- Lock accounts out for 30 minutes instead of disabling them completely.
- Instead of locking accounts, present the user with additional security questions.
- Check for CAPS lock being on (not an issue on mobile though).
See the complete discussion Why do sites implement locking after 3 failed password attempts? on Security.SE.
My personal recommendations
I deal a lot with a poorly-designed system where people frequently forget their credentials because they don't use the system often enough to remember them. The system automatically locks user accounts after (I believe) 5 unsuccessful attempts. The lock requires a member of my team to go to the management console, reset the user password manually, and send them an email also manually with the temporary password. The amount of time wasted is horrible, but the system is provided by a vendor and we can't change it.
Whichever system, protocol, and workflow you use, you have to make sure that your users in the field don't have the luxury to wait even 15 minutes to restore access to their account. Thus, you have to create some self-service reactivation process. It could be as simple as sending an email to the user with a password reset link.
Also, keep track of all system status indicators:
- Credentials have not been accepted
- Email with password reset instructions has been sent.
- The number of attempts left until the account is locked.
- Account locking notification and a brief descriptions of what to expect next.
No comments:
Post a Comment