Typically, a policy is formulated as follows:
- If there have been at least
Mconsecutive, failed attempts to sign into the profile of user Uduring an interval of Nminutes, then:
- Block any additional login attempts into
Uduring the following Ominutes.
This type of policy commonly prevents brute force password guessing attacks against user profiles on web sites, Active Directory domains and other systems.
There is some variety in how intruder lockouts are implemented by different systems and applications:
- On some security systems, the lockout persists indefinitely.
- On some security systems, the user's location (e.g., IP address) may be locked out, rather than or in addition to a user profile.
- On some security systems, values for
M, Nor Oabove are fixed and cannot be adjusted by the organization which deployed the system.
- On some (older) systems, the intruder lockout flag is incorrectly entangled with an administrative disable flag -- one that is set by an administrator to indicate that the user in question should henceforth not be allowed to sign in. On such systems (e.g., RACF, ACF2 on mainframes) the built-in mechanism is not sufficient to distinguish between what caused a lockout -- too-frequent failed logins or administrator action.
Users who have triggered an intruder lockout can sign into Hitachi ID Password Manager with other types of credentials, such as a hardware token or by answering personal questions and can then clear the intruder lockout on their own account.