{% set baseFontFamily = "Open Sans" %} /* Add the font family you wish to use. You may need to import it above. */

{% set headerFontFamily = "Open Sans" %} /* This affects only headers on the site. Add the font family you wish to use. You may need to import it above. */

{% set textColor = "#565656" %} /* This sets the universal color of dark text on the site */

{% set pageCenter = "1400px" %} /* This sets the width of the website */

{% set headerType = "fixed" %} /* To make this a fixed header, change the value to "fixed" - otherwise, set it to "static" */

{% set lightGreyColor = "#f7f7f7" %} /* This affects all grey background sections */

{% set baseFontWeight = "normal" %} /* More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set headerFontWeight = "normal" %} /* For Headers; More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set buttonRadius = '40px' %} /* "0" for square edges, "10px" for rounded edges, "40px" for pill shape; This will change all buttons */

After you have updated your stylesheet, make sure you turn this module off

Accounts are Locked After Consecutive Failed Login Attempts

by Serge Truth on October 4, 2011

What to Check For

Ensure that accounts are locked after consecutive failed login attempts.

Why

Multiple, consecutive failed authentication attempts over a short period of time are a symptom that is used to detect when an account is under attack. Locking out the account prevents the attacker from compromising and accessing the account.

How to Check

Follow these steps to ensure your application will lock out an account after consecutive failed login attempts:

  1. Verify your application has a lockout policy. An account lockout policy is typically application specific. Review your application's requirements and design specifications and verify the following functionality:

    • A mechanism for determining failed authentication attempts
    • A mechanism for locking accounts that have exceeded the maximum number of allowed authentication attempts
    • A mechanism for unlocking accounts that have exceeded the maximum number of allowed authentication attempts
  2. Ensure your application tracks login attempts. All authentication procedures record the number of authentication attempts for each user. The login counter for each user should be reset to 0 upon a successful authentication

  3. Ensure your application enforces the lockout policy. All authentication procedures implement your application's lockout policy. The implementation should match the lockout policy as the business requirements of your organization may change over time

Note: PCI DSS certification requires that logs should include failed access attempts, that a user gets locked out after no more than 6 failed login attempts, and the lockout lasts for at least 30 minutes.

Topics: developer guidance, application security, application risk & compliance

Most Recent

What's Trending

Featured Resource