What to Check For
Ensure that accounts are locked after consecutive failed login attempts.
Multiple, consecutive failed authentication attempts over a short period of time are a symptom that is used to detect when an account is under attack. Locking out the account prevents the attacker from compromising and accessing the account.
How to Check
Follow these steps to ensure your application will lock out an account after consecutive failed login attempts:
Verify your application has a lockout policy. An account lockout policy is typically application specific. Review your application's requirements and design specifications and verify the following functionality:
- A mechanism for determining failed authentication attempts
- A mechanism for locking accounts that have exceeded the maximum number of allowed authentication attempts
- A mechanism for unlocking accounts that have exceeded the maximum number of allowed authentication attempts
Ensure your application tracks login attempts. All authentication procedures record the number of authentication attempts for each user. The login counter for each user should be reset to 0 upon a successful authentication
Ensure your application enforces the lockout policy. All authentication procedures implement your application's lockout policy. The implementation should match the lockout policy as the business requirements of your organization may change over time
Note: PCI DSS certification requires that logs should include failed access attempts, that a user gets locked out after no more than 6 failed login attempts, and the lockout lasts for at least 30 minutes.