Resolution: Won't Fix
Affects Version/s: None
Fix Version/s: None
Add ability to disable(lock) the account when the number of consecutive logon attempts exceeds predefined threshold.
The different locking policies can be applied for interactive and non interactive accounts.
For example, for interactive accounts the following can be used:
- If the account password length is 8 to 15 characters the account must be locked out until reset after at most 10 consecutive login failures.
- If the account password length is 16 characters the account must lock out for at least 1 minute after at most 10 consecutive login failures.
For non-interactive accounts the following can be used:
- Accounts must be locked out for at least 1 minute after at most 10 consecutive login failures. Lockout time should escalate by doubling with each sequential lockout or risk appropriate monitoring of repeated lockouts to detect brute force attacks should be implemented.
- For accounts with availability concerns when account lockout is impractical, the risk appropriate monitoring of repeated failed login attempts needs to be added to detect brute force attacks