CWE-645
Overly Restrictive Account Lockout Mechanism
The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.
Mitigation
Phase: Architecture and Design
Description:
- Implement more intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.
Mitigation
Phase: Architecture and Design
Description:
- Implement a lockout timeout that grows as the number of incorrect login attempts goes up, eventually resulting in a complete lockout.
Mitigation
Phase: Architecture and Design
Description:
- Consider alternatives to account lockout that would still be effective against password brute force attacks, such as presenting the user machine with a puzzle to solve (makes it do some computation).
CAPEC-2: Inducing Account Lockout
An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.