Time to bang my own trumpet - occasionally I receive requests to address a particular customer's requirement, viz: three strikes lockout where if a person fails to log in to a system (eg: mistyping a password) - and if they fail to log-in three times in succession, then some manner of portcullis drops and the resource is barred from further access. The account gets locked, in the same-old way that was popular on even-then-antiquated mainframes back when I was a student, some 20 years ago.

So I wrote this explanation of my thoughts upon the matter:

"Three-Strikes" Password Security Considered Antiquated, Hazardous, Stupid and Wrong.

(...deletia...)

The problems of "three-strikes" in the modern enterprise environment are legion: in modern distributed authentication directories - NIS, LDAP, etc - there is no typically no central authority who is counting the number of failed authentication attempts, generally for technical reasons. For example: LDAP is deeply sub-optimal for poking little bits of data like that back to a central place, for immediate propagation to all replicas. No immediacy == no security.

Even if there were a central authority that brokered this sort of information it would be subject to flooding attacks by miscreants who could tie-up that one service and thereby prevent anyone from authenticating in your enterpise, with significant business impact.

You cannot architect around this risk by including a "timeout" or other "we've tried checking whether the user has struck-out but got no reply, so we'll let him in anyway" mechanism, because that defeats the whole point of the policy.

Anyway - what merits being called "authentication" nowadays? Would you like it if you changed your system password, and then - having walked away for a coffee - your automatic IMAP-enabled mail client goofed-up three authentications and locked you out of your own system because you forgot to update the client?

(continues...)

- Alec

tags: passwords security slotd solaris strikes three

Permalink | Comments [0]