Common Weakness Enumeration

CWE-645

Overly Restrictive Account Lockout Mechanism

The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.

Mitigation

Phase: Architecture and Design

Description:

  • Implement more intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.
Mitigation

Phase: Architecture and Design

Description:

  • Implement a lockout timeout that grows as the number of incorrect login attempts goes up, eventually resulting in a complete lockout.
Mitigation

Phase: Architecture and Design

Description:

  • Consider alternatives to account lockout that would still be effective against password brute force attacks, such as presenting the user machine with a puzzle to solve (makes it do some computation).
CAPEC-2: Inducing Account Lockout

An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.

Back to CWE stats page