This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for Weak lock out mechanism (OTG-AUTHN-003)"
| Line 2: | Line 2: | ||
| − | == | + | == Summary == |
| − | + | ||
| − | .. | + | Account lockout mechanisms are used to mitigate against brute force password guessing attacks. Accounts are typically locked out after 3 to 5 unsuccessful login attempts and can only be unlocked after a predetermined period of time, via a self-service unlock mechanism or intervention by an administrator. Account lockout mechanisms require a balance between protecting accounts from unauthorised access and protecting users from being denied authorised access. Factors to consider when implementing an account lockout mechanism: |
| − | + | ||
| + | # What is the risk of brute force password guessing against the application? | ||
| + | # Is a CAPTCHA sufficient to mitigate this risk? | ||
| + | # Number of unsuccessful logon attempts before lockout | ||
| + | # How will accounts be unlocked? | ||
| + | ## Manually by an administrator | ||
| + | ## After a period of time. What is the lockout period? | ||
| + | |||
Note that this test should cover all aspects of authentication where lock out mechanisms would be appropriate, e.g. when the user is presented with security questions during forgotten password mechanisms (see [[Testing for Weak security question/answer (OTG-AUTHN-008)]]). | Note that this test should cover all aspects of authentication where lock out mechanisms would be appropriate, e.g. when the user is presented with security questions during forgotten password mechanisms (see [[Testing for Weak security question/answer (OTG-AUTHN-008)]]). | ||
| − | + | ||
| − | == | + | == Test objectives == |
| − | + | ||
| − | ... | + | Evaluate the account lockout mechanism's ability to mitigate brute force password guessing. |
| − | + | ||
| − | == | + | Evaluate the re-activation mechanism's resistance to unauthorised account re-activation. |
| − | + | ||
| − | + | == How to test == | |
| − | + | ||
| − | + | # Number of unsuccessful logon attempts before lockout | |
| + | # How will accounts be unlocked? | ||
| + | ## Manually by an administrator | ||
| + | ## After a period of time. What is the lockout period? | ||
| + | |||
| + | === Example === | ||
| + | |||
| + | |||
| + | |||
| + | == Tools == | ||
| + | |||
== References == | == References == | ||
| − | + | ||
| − | .. | + | |
| − | + | == Remediation == | |
| − | + | ||
| + | Implement CAPTCHA with the account logon page. | ||
| + | |||
| + | Apply account reactivation mechanisms depending on the risk level. In order from lowest to highest assurance: | ||
| + | |||
| + | # Time-based lockout and reactivation | ||
| + | # Self-service reactivation (sends reactivation email to registered email address) | ||
| + | # Manual administrator reactivation | ||
| + | # Manual administrator reactivation with positive user identification | ||
Revision as of 13:16, 6 November 2013
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project
Summary
Account lockout mechanisms are used to mitigate against brute force password guessing attacks. Accounts are typically locked out after 3 to 5 unsuccessful login attempts and can only be unlocked after a predetermined period of time, via a self-service unlock mechanism or intervention by an administrator. Account lockout mechanisms require a balance between protecting accounts from unauthorised access and protecting users from being denied authorised access. Factors to consider when implementing an account lockout mechanism:
- What is the risk of brute force password guessing against the application?
- Is a CAPTCHA sufficient to mitigate this risk?
- Number of unsuccessful logon attempts before lockout
- How will accounts be unlocked?
- Manually by an administrator
- After a period of time. What is the lockout period?
Note that this test should cover all aspects of authentication where lock out mechanisms would be appropriate, e.g. when the user is presented with security questions during forgotten password mechanisms (see Testing for Weak security question/answer (OTG-AUTHN-008)).
Test objectives
Evaluate the account lockout mechanism's ability to mitigate brute force password guessing.
Evaluate the re-activation mechanism's resistance to unauthorised account re-activation.
How to test
- Number of unsuccessful logon attempts before lockout
- How will accounts be unlocked?
- Manually by an administrator
- After a period of time. What is the lockout period?
Example
Tools
References
Remediation
Implement CAPTCHA with the account logon page.
Apply account reactivation mechanisms depending on the risk level. In order from lowest to highest assurance:
- Time-based lockout and reactivation
- Self-service reactivation (sends reactivation email to registered email address)
- Manual administrator reactivation
- Manual administrator reactivation with positive user identification
