AntiOnline Spotlight: Account Lockouts
May 6, 2005
Login pairs have become the fourth bit of must-know personal information for many modern workers, following name, date of birth, and social security number.
 |
| Before throwing up roadblocks, security and the burden lockout policies place on your support staff must be taken into consideration. |
Others just can't seem to memorize their passwords, much to the dismay of help desks and IT staff. Some resort to writing them on yellow sticky notes and stashing them under keyboards (thinking that they are being clever, no doubt) while the especially callous ones plaster it on a corner of their monitors for all to see.
Much like you wouldn't tuck your house keys under the doormat in this day and age, passwords should be ideally kept where criminals can't get to them. In the case of people, that's their memory.
But memory can be a tricky thing for some. It may take a failed attempt or two to get the good old brain going. One too many attempts, and a phone call to the help desk is sure to follow.
This sensible precaution helps ensure that unauthorized persons don't have easy access your network, but if poorly implemented, it can result in a constant stream of anguished calls. Too lax, and the odds tip in an intruder's favor.
Can balance be achieved?
Note: Any opinions expressed below are solely those of the individual posters on the AntiOnline forums.
This Week's Spotlight Thread:
Account Disable/Lockout Policy?
thwhomp wonders how other companies arrive at a good account lockout policy.
Just wondering what other people do for an account lockout policy: a policy that either disables or locks out an account after X amount of tries within a given time frame.
What our boggle is that we are not sure it would be best to just disable an account after X amount of failed login attempts within X amount of time, or instead lockout the account for 15-30 minutes after X amount of failed login attempts within X amount of time.
I look forward for any ideas on what other organizations do or looking to do for this area.
Appropriately named,
RoadClosed tells us:
I use 4 attempts reset the counter after 1 hour and lock out the user until an admin resets the account so that we can look at the logs and see if the attempt continued after lockout. That way you can identify and verify if the user did it or some automated process.
After learning that the policy may affect 30,000 workstations,
zENGER says...
I think with 30k workstations, if you do mandatory lockouts, you're going to be getting a LOT of calls. The time-based deal might work better for you, but it all depends on how sensitive you feel your data is. If you do use the time based thing, you'll possibly have a large amount of people who can't work for 30 minutes, which could produce a lack of efficiency, but I think that�s better than paying tons of password reset HD people.
Whatever decision is reached,
KuiXing-2005 suggests getting everyone on board.
Whatever solution you decide upon, you should also discuss with the manager, supervisor of the helpdesk to see how much traffic they are dealing with now, what any change to a standard or policy would be, and even check to see what ideas they may have for account disable/lockout.
With that many workstations, or even more, disabling accounts and having the users calling in and going on tirades probably would not work; time-based lockouts may work better, but again you may wish to discuss with the help desk as well.
What's your lockout policy? Tell us
here.
Email
Print
Digg This
Add to del.icio.us
