IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [account-lockout]

38 questions
70
votes
6 answers

Can a malicious actor lock the real user out by deliberately trying incorrect passwords every X minutes?

Some websites lock out a user after a series of incorrect password attempts for example for 15 minutes. If a malicious actor knows this, can they deliberately try logging in with incorrect passwords every 15 minutes to prevent the real person from…
yeti
  • 865
  • 1
  • 6
  • 8
57
votes
8 answers

Brutalized VPS recovery data now available. Considerations?

Backstory My sites and VPS were stolen from me. The hosting company and I were locked out and unable to access it. They weren't able to create a temp password for access because the attacker blocked it. The last time I was logged into WHM, root…
Preston Bennett
  • 613
  • 1
  • 5
  • 10
11
votes
4 answers

What are the drawbacks of login request throttling?

In a web application, one way to protect against password guessing attacks is to lock out accounts after a set number of failed logins. This could be done on both source IP address and username. For example, the following table shows what happens…
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
9
votes
2 answers

Are FIDO U2F keys (like dual Yubikeys or dual Google Titan keys) undermined by the Google account recovery process?

According to the Google information page here: https://support.google.com/accounts/answer/6103523 If you don’t have another second step or forgot your password Note: 2-Step Verification requires an extra step to prove you own an account. Because of…
knaccc
  • 220
  • 1
  • 5
7
votes
1 answer

Rationale for security lockout after changing a password

I was recently locked out of an account (for 30 minutes), not for failing a certain number of attempts at a password, but instead for changing the password after answering security questions. What do you think the purpose of this security mechanism…
Andy Xahir Sirois
  • 71
  • 2
6
votes
1 answer

Desktop Flickers Past Lock Screen

I'm using Fedora 22 with Gnome 3. I have a password set for my user account, so when my laptop awakens from sleep, I am presented with the lock screen and must enter my password before getting to my desktop. Frequently (maybe 10% of the time), when…
Woodrow Barlow
  • 143
  • 11
6
votes
3 answers

Friend's Instagram account repeatedly hacked despite changing all information and enabling 2FA

My friends Instagram account has repeatedly been hacked. Someone is gaining access to her account, proceeding to change all the security information to lock her out. Then posts scam ads on her account. We have the full phone number and email address…
user275680
  • 61
  • 1
6
votes
2 answers

Best practices for handling wrong TOTP tokens

Assume a 2FA system with user-supplied passwords and 6 digit TOTP tokens. It is not possible to test a TOTP token without authenticating with a password first, so whoever submits a token is presumed to know the password. Each token is generated…
Jirka Hanika
  • 201
  • 1
  • 7
4
votes
3 answers

Should a user be able unlock his own account after being automatically locked out?

Should a user be able to unlock his own account after being locked out? Typically there are requirements that specify that users are to be automatically locked out: The user's account should be locked after too many failed password attempts The…
Ken Liu
  • 141
  • 4
4
votes
1 answer

Should user account be locked after X amount of failed logins?

I have almost finished developing my login system and there is one more thing that I'm not sure about. So many debates I found on the internet about counting invalid logins and locking users account. My system stores user names and passwords (that…
espresso_coffee
  • 141
  • 1
  • 3
2
votes
1 answer

How to suspend a silent oberserver from Facebook account?

A friend of mine told me about the following problem: She used to login on Facebook on a computer of her boyfriend. After they broke up she recognized that he was able to login to her account from his computer. Of course she then changed her…
fiscblog
  • 129
  • 2
2
votes
1 answer

Is it ok to let someone unlock their own account with their admin account?

Scenario: Person A's normal computer account is personA. They have locked this out with too many bad password attempts. The user is part of the IT group, so they also have an admin account: personA-admin. They use this admin account to unlock…
BeckyG
  • 21
  • 1
2
votes
1 answer

Facebook security algorithm: Locked out of my own account after resetting password

I created a secondary Facebook account months ago from Argentina. Now I logged back in, and noticed countless logins from RUSSIA and the account is clearly being used by some Russian dude. I logged out from all devices, and changed the password, so…
andreszs
  • 121
  • 2
2
votes
2 answers

Account lockout to protect from brute force: doesn't it open up vulnerabilities to DOS attacks?

AFAIK the recommended practice to mitigate brute force attacks is to lock an account down for, say, 15 min (perhaps escalating lockout time if the attack continues afterwards?) after, say, 5 failed login attempts. I understand the reasoning (brute…
gaazkam
  • 5,607
  • 11
  • 24
  • 37
1
vote
1 answer

Limiting Login Attempts

I have to set up a server that will allow remote logins. Obviously security is an issue. In this first pass we are discussing:- Locking a person for 15 minutes if they fail to login correctly three times in succession over a five minute…
MichaelJohn
  • 11
  • 2
1
2 3