Typically, a policy is formulated as follows:
- If there have been at least
Mconsecutive, failed attempts to sign into the profile of user Uduring an interval of Nminutes, then:
- Block any additional login attempts into
Uduring the following Ominutes.
This type of policy commonly prevents brute force password guessing attacks against user profiles on web sites, Active Directory domains and other systems.
There is some variety in how intruder lockouts are implemented by different systems and applications:
- On some security systems, the lockout persists indefinitely.
- On some security systems, the user's location (e.g., IP address) may be locked out, rather than or in addition to a user profile.
- On some security systems, values for
M, Nor Oabove are fixed and cannot be adjusted by the organization which deployed the system.
- On some (older) systems, the intruder lockout flag is incorrectly entangled with an administrative disable flag -- one that is set by an administrator to indicate that the user in question should henceforth not be allowed to sign in. On such systems (e.g., RACF, ACF2 on mainframes) the built-in mechanism is not sufficient to distinguish between what caused a lockout -- too-frequent failed logins or administrator action.
(1)Users who have triggered an intruder lockout can sign into Hitachi ID Password Manager with other types of credentials, such as a hardware token or by answering personal questions and can then clear the intruder lockout on their own account.
It should be noted that Hitachi ID Management Suite differentiates between different types of "locks," and Password Manager only allows users to clear intruder lockouts:
- Intruder lockouts: are triggered by repeated attempts
to sign into a given login account with an incorrect password.
They often have a timeout (i.e., automatically cleared after
a set interval).
- Administratively disabled: the login ID was explicitly
disabled by a security administrator. Password Manager does not
remove such locks.
- Password expired: the user may sign in, but can only
access the password change function of the system or application.
Password Manager may set this flag after an assisted password reset (i.e.,
to force the user to change a temporary password). Password Manager
normally clears this flag after self-service password changes.
- Account expired: the account is in a state equivalent to setting the "administratively disabled" flag, but as a result of the active time period for the account expiring, rather than due to recent administrator intervention.
It should also be noted that not all target system types support all of the above mechanisms and some target types actually entangle them. For example, "administratively disabled" and "intruder lockout" are represented by the same flag on most mainframe systems.
In cases where the states are entangled on a target system, Password Manager will either not allow users to clear the flag or, where possible, expose a plug-in point where customers can insert business logic to differentiate between different meanings of the same flag.