When one of our users attempts to log into OWA while their account is locked out, they receive a message stating that their username or password was incorrect. Is it possible to configure OWA so that it tells them if their account has been locked out?
Asked
Active
Viewed 912 times
1 Answers
5
No, possibly for security reasons. Users should not know that fact. Well, THE user may want to know, but the HACKER that tries to log in as the user should KNOW know that his password attempt was not rejected for a wrong password but because he got locked out.
Basic security 101 is to give the hacker as little information as possible.
TomTom
- 50,857
- 7
- 52
- 134
-
Just like when a password is entered wrong, but the dialog box says "username or password not recognized", it gives someone trying to gain unauthorized access no idea which part they have incorrect. – DanBig Jul 17 '12 at 17:31
-
Exactly. As little info as possible. – TomTom Jul 17 '12 at 18:01
-
I get the reasoning behind it, but it's quite frustrating from an end user perspective, and the amount of extra security it provides is minimal. It's very likely that the username will be known to the hacker unless it's a general brute force, in which case password and lockout policies should provide solid protection. Edit: Do you have a reference you can cite, by chance? I'd like to be able to show something to management. Thanks! – bshacklett Jul 20 '12 at 16:01
-
Actually it is not minimal. it is the KEY to lead brute force password cracking attempts directly into a slow death. If you think about it some more time you will realize how bad your statement is about marginal security. – TomTom Jul 20 '12 at 18:04
-
How does the knowledge that an account is locked out help with a brute-force attempt? Once it's locked, that attempt is over and the attacker must move to another method. With reasonable complexity requirements enabled, I find it hard to believe this is much of a concern anyway. An attacker would be lucky to get 100 passwords per second through an OWA prompt, and someone is going to get a call very quickly that the server is being overloaded in that case. That's assuming there is no lockout policy in place. – bshacklett Sep 05 '12 at 13:36
-
@bshacklett Security for beginners. As long as the hackes does not know that the accont is locked out, he can not say "that password is invalid". Plus he can not time his attempty to like one every 3 minutes because he never knows. – TomTom Sep 05 '12 at 14:36
-
Fair enough. While I still consider OWA's behavior impractical, I cannot disagree that it would deprive an attacker of a marginal advantage. – bshacklett Sep 05 '12 at 17:33
-
Not quite THAT marginal. An attacker may hit you with 100 passwords per minute, from a list, but has no clue which ones are "not valid" and which ones are "locked out". Heck, he does not even KNOW you have a lock out policy, and what it is. – TomTom Sep 05 '12 at 21:32