Accounts are Locked After Consecutive Failed Login Attempts

Posted by Serge Truth on October 4, 2011 at 10:15 AM

What to Check For

Ensure that accounts are locked after consecutive failed login attempts.


Multiple, consecutive failed authentication attempts over a short period of time are a symptom that is used to detect when an account is under attack. Locking out the account prevents the attacker from compromising and accessing the account.

How to Check

Follow these steps to ensure your application will lock out an account after consecutive failed login attempts:

  1. Verify your application has a lockout policy. An account lockout policy is typically application specific. Review your application's requirements and design specifications and verify the following functionality:

    • A mechanism for determining failed authentication attempts
    • A mechanism for locking accounts that have exceeded the maximum number of allowed authentication attempts
    • A mechanism for unlocking accounts that have exceeded the maximum number of allowed authentication attempts
  2. Ensure your application tracks login attempts. All authentication procedures record the number of authentication attempts for each user. The login counter for each user should be reset to 0 upon a successful authentication

  3. Ensure your application enforces the lockout policy. All authentication procedures implement your application's lockout policy. The implementation should match the lockout policy as the business requirements of your organization may change over time

Note: PCI DSS certification requires that logs should include failed access attempts, that a user gets locked out after no more than 6 failed login attempts, and the lockout lasts for at least 30 minutes.

Topics: developer guidance, application security, application risk & compliance

Serge Truth

Written by Serge Truth

Serge is a Content Lead here at Security Innovation. He is an IT and Information Security professional, certified by the Committee on National Security Systems Instruction.