connection. Due to the potential for denial of service, automatic lockouts initiated by
systems are, in most cases, temporary and automatically release after a predetermined
period established by the organization (i.e., a delay algorithm). If a delay algorithm is
selected, organizations may employ different algorithms for different system components
based on the capabilities of the respective components. Responses to unsuccessful logon
attempts may be implemented at the operating system and application levels.
Consecutive, unsuccessful logon attempts may indicate malicious activity. You can mitigate
these types of attacks by limiting the number of unsuccessful logon attempts. There are
many ways to do this. Having three consecutive, unsuccessful logon attempts is a common
setting. Organizations should set this number at a level that fits their risk profile. Fewer
unsuccessful attempts provide higher security.
After the system locks an account, it has several options to unlock it. The most common is to
keep the account locked for a predefined time. After that time, the account unlocks. Another
option is to keep the account locked until an administrator unlocks it.
Example
You attempt to log on to your work computer. You mistype your password three times in a
row. You call your IT help desk or administrator. The administrator tells you your account
is locked. He explains that all passwords lock after three unsuccessful logon attempts. This
limits the effectiveness of brute-force and other password attacks. He tells you he can
unlock it, or you can wait five minutes and the account will unlock automatically.
REFERENCES
• NIST SP 800-171 Rev 1 3.1.8
• NIST CSF v1.1 PR.AC-7
• NIST SP 800-53 Rev 4 AC-7