{% set baseFontFamily = "Open Sans" %} /* Add the font family you wish to use. You may need to import it above. */

{% set headerFontFamily = "Open Sans" %} /* This affects only headers on the site. Add the font family you wish to use. You may need to import it above. */

{% set textColor = "#565656" %} /* This sets the universal color of dark text on the site */

{% set pageCenter = "1400px" %} /* This sets the width of the website */

{% set headerType = "fixed" %} /* To make this a fixed header, change the value to "fixed" - otherwise, set it to "static" */

{% set lightGreyColor = "#f7f7f7" %} /* This affects all grey background sections */

{% set baseFontWeight = "normal" %} /* More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set headerFontWeight = "normal" %} /* For Headers; More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set buttonRadius = '40px' %} /* "0" for square edges, "10px" for rounded edges, "40px" for pill shape; This will change all buttons */

After you have updated your stylesheet, make sure you turn this module off

Automatically Lock Inactive User Accounts

by Serge Truth on September 13, 2011

Inactive UsersApplies to

Applications written using Servlets or JSP.

What to Do

Automatically lock inactive user accounts. Log the instance when accounts have been locked.


Inactive user accounts increase the attack surface of the application and can be used by an attacker as a means of entry.


Design your application so that inactive user accounts can be detected and locked. After deployment, set the system to lock inactive accounts after an appropriate amount of time.


Use the following steps when locking inactive user accounts:

  1. Set a lockout policy. Create the application's lockout policy. Determine the necessary duration of inactivity before an account can be locked/disabled. This policy can vary depending on whether the account is of a normal user or an administrator. For example, disable normal accounts after 45 days of inactivity and administrative accounts after 30 days of inactivity.

  2. Keep track of user inactivity. Establish a mechanism to keep track of the last successful authentication. Successful authentication can be tracked via logs or a timestamp, which resides in the user database. Example:

    sql> select username, last_login_date from users;
    | username | last_login_date |
    | adam | 2006-10-11 |
    | sue | 2006-10-11 |
    | jim | 2006-10-01 |
    | richard | 2006-10-01 |
    | julie | 2006-09-23 |
    | sam | 2006-06-23 |
  3. Set a lockout mechanism. Establish a mechanism to verify the current period of inactivity and automatically set the disabled bit for inactive accounts. Using the application or database server's scheduler, activate such functionality to run during the hours with least user activity. Keep in mind that inactive accounts should be disabled, but not removed until it is confirmed that they should be completely removed. Create a log entry when an account has been disabled.

    For example, the following database transaction would lock all user accounts that have been inactive for more than 30 days. Such transaction should be scheduled to run once a day:

    sql> update users set locked = 1
    where (current_date - 30) > last_login_date

    Note: The statement above uses Oracle syntax. Please consult your database manual if you use a different database engine.

Note: PCI DSS requirements state that a user account should be locked out after no more than 90 days of inactivity.

Most Recent

What's Trending

Featured Resource