Wait a second? Really, I can’t tell my user that they locked out the account. Yep!!! For sites containing highly sensitive information like employee information, financial information, etc… you will fail a security assessment because you are telling a hacker the account is locked out.
Why is that?
The concern is a hacker attempted to login with an account many times. The hacker gets the “The account is locked out due to 5 failed attempts”. Now the hacker knows he has a good account name. One more piece of information that can help that hacker figure out how to get in. Once the hacker gets a good user name, he can keep trying to hack the account each time it is reset. Or, he might just use a little social engineering and call your help desk. Using the URL and account name, the hacker might be able to convince your help desk to change the password without even verifying other information on the account. Then the hacker has a good account with a good password. Now your hacked but don’t even know it until it is way too late. It could be weeks before the real user tries to login and figures out he can’t and then calls the help desk. By then the hacker could have downloaded anything that user has access to, created another user account, etc…
It is best to avoid showing messages like these to the user:
- The password is invalid.
- The account is locked out.
Always show the same response for a failed login:
- The username and password is invalid. Please try again.
When a user calls the help desk for a password reset:
- The help desk must verify information about the user.
- The help desk should be able to see past history and be able to ask the user when they successfully logged in last time.
- The help desk should be able to see as much information about any failed login attempts like IP Address, number of failed attempts, etc… If the failed attempts are out of China but your users are only in a few locations in the United States, well you might have a problem…
- The help desk should reset the password and send a password reset email to the email account on file.
So solving this problem is not just about coding a secure login page but also letting your help desk understand social engineering and hacking.