We have an application where we are using OS users for authentication and using native OS libraries for authentication of that user credential. We have implemented an account lockout functionality where we can lock the user attempts after configured number of attempts.
Actually, Windows OS libraries does not return the difference between invalid credential authentication attempt of fake user attempt so that's why we have to insert such attempts in DB for account lock. But on unix platforms we used to get the specific return code if user does not exist in system and we only audit such attempts and does not insert the record in DB for avoidance of DDos attack. But now they want same behavior for *ix platform.
So my question what do you suggest from security perspective either we have to lock the user account or return the standard message "invalid username or password" so that hacker should not be able to know whether at least username is correct if an hacker is trying with fake username.
What do you prefer guys either return the message of account lockout which may give indication to user that username is correct only password is incorrect or return the generic error message of "invalid user name or password" .