-
Notifications
You must be signed in to change notification settings - Fork 158
Description
OWASP https://github.com/OWASP/ASVS/blob/master/4.0/en/0x11-V2-Authentication.md#v21-password-security-requirements 2.2.1 talks about brute force mitigation:
Verify that no more than 100 failed attempts per hour is possible on a single account.
This can probably be implemented as part of tracking.
Could also add slowing down responses (but of course attacker can send multiple requests that would be handled by different threads).
Some good background: https://security.stackexchange.com/questions/85435/silently-limiting-login-attempts?rq=1
In particular - watch out for telling people an account is locked out since that relays info that the account/username is valid! (send email/SMS instead).
NIST 5.2.2 - Unless otherwise specified in the description of a given authenticator, the verifier SHALL limit consecutive failed authentication attempts on a single account to no more than 100.
and then... When the subscriber successfully authenticates, the verifier SHOULD disregard any previous failed attempts for that user from the same IP address.
What is confusing in the NIST verbiage is the first sentence talks about 'account' the second talks about IP addresses.