7

I was recently locked out of an account (for 30 minutes), not for failing a certain number of attempts at a password, but instead for changing the password after answering security questions.

What do you think the purpose of this security mechanism is?

I was under the impression that the only purpose of a lockout was to prevent brute force password attacks. Since the purpose of security questions is to prove identity without a password, I can't fathom why a lockout would be used in this situation.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Andy Xahir Sirois
  • 71
  • 2
  • 2
    Possibly to give the account holder time to contact support if the change is unauthorized? – Cowthulhu Jan 23 '18 at 17:15
  • 1
    Can you give us more context? Was this an app, web service? Public, internal corp? May make a difference, but it does not seem like a general practice. – Eric G Jan 24 '18 at 02:38
  • It was an external federal website, so I suspect they are being overly cautious as usual. I have had the account for years, I think this is new. I also got an email asking if the action was unauthorized so I bet that is it, though I have gotten such emails before from other sites without being locked out. It did specifically say that the lockout was due to the password change though and that is what I thought was weird. Thanks for the insight – Andy Xahir Sirois Jan 24 '18 at 21:26

1 Answers1

2

I am with @Cowthulhu about the cooldown time.

Lastpass uses something similar for their recovery access: you can designate someone as trusted, that person can request an access to your password vault, but will have to wait a predefined time (predefined by you, from nothing to a few days) to give you time to revoke the access. In the meantime you recieve an email stating that a request was done.

Have you received a message from the site owner right after the change with some similar information ("your password was changed but the user is locked for 30 minutes, if it was not you contact us during that timeframe so that we revert the change")? Since you asked the question - I guess not, but maybe this is buried somewhere in the informational email.

WoJ
  • 8,957
  • 2
  • 32
  • 51
  • I believe it was worded similar to that, though the email I got was pretty generic, and said nothing about the lockout, just that the password had been changed. The lockout warning was on the website itself after I tried to log back in. – Andy Xahir Sirois Jan 28 '18 at 14:56