Testing for Weak Lock Out Mechanism
SummaryAccount lockout mechanisms are used to mitigate brute force attacks. Some of the attacks that can be defeated by using lockout mechanism: Show
Account lockout mechanisms require a balance between protecting accounts from unauthorized access and protecting users from being denied authorized access. Accounts are typically locked after 3 to 5 unsuccessful attempts and can only be unlocked after a predetermined period of time, via a self-service unlock mechanism, or intervention by an administrator. Despite it being easy to conduct brute force attacks, the result of a successful attack is dangerous as the attacker will have full access on the user account and with it all the functionality and services they have access to. Test Objectives
How to TestLockout MechanismTo test the strength of lockout mechanisms, you will need access to an account that you are willing or can afford to lock. If you have only one account with which you can log on to the web application, perform this test at the end of your test plan to avoid losing testing time by being locked out. To evaluate the account lockout mechanism’s ability to mitigate brute force password guessing, attempt an invalid log in by using the incorrect password a number of times, before using the correct password to verify that the account was locked out. An example test may be as follows:
A CAPTCHA may hinder brute force attacks, but they can come with their own set of weaknesses, and should not replace a lockout mechanism. A CAPTCHA mechanism may be bypassed if implemented incorrectly. CAPTCHA flaws include:
To evaluate CAPTCHA effectiveness:
Repeat this process to every possible functionality that could require a lockout mechanism. Unlock MechanismTo evaluate the unlock mechanism’s resistance to unauthorized account unlocking, initiate the unlock mechanism and look for weaknesses. Typical unlock mechanisms may involve secret questions or an emailed unlock link. The unlock link should be a unique one-time link, to stop an attacker from guessing or replaying the link and performing brute force attacks in batches. Note that an unlock mechanism should only be used for unlocking accounts. It is not the same as a password recovery mechanism, yet could follow the same security practices. Apply account unlock mechanisms depending on the risk level. In order from lowest to highest assurance:
Factors to consider when implementing an account lockout mechanism:
References
How many attempts is the account lockout threshold?A locked account can't be used until you reset it or until the number of minutes specified by the Account lockout duration policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0.
What is the recommended account lockout duration?Possible values
It's advisable to set Account lockout duration to approximately 15 minutes. To specify that the account will never be locked out, set the Account lockout threshold value to 0.
How many times can you try Windows password?If a user enters an incorrect password for all five attempts, your account will lock for five minutes before it automatically unlocks.
Where is account lockout threshold?The Account Lockout Policy settings can be configured in the following location in the Group Policy Management Console: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.
|