Testing for Weak lock out mechanism (OTG-AUTHN-003)

Summary
Account lockout mechanisms are used to mitigate against brute force password guessing attacks. Accounts are typically locked out after 3 to 5 unsuccessful login attempts and can only be unlocked after a predetermined period of time, via a self-service unlock mechanism or intervention by an administrator. Account lockout mechanisms require a balance between protecting accounts from unauthorised access and protecting users from being denied authorised access. Factors to consider when implementing an account lockout mechanism:


 * 1) What is the risk of brute force password guessing against the application?
 * 2) Is a CAPTCHA sufficient to mitigate this risk?
 * 3) Number of unsuccessful logon attempts before lockout
 * 4) How will accounts be unlocked?
 * 5) Manually by an administrator
 * 6) After a period of time. What is the lockout period?

Note that this test should cover all aspects of authentication where lock out mechanisms would be appropriate, e.g. when the user is presented with security questions during forgotten password mechanisms (see Testing for Weak security question/answer (OTG-AUTHN-008)).

Test objectives
Evaluate the account lockout mechanism's ability to mitigate brute force password guessing.

Evaluate the re-activation mechanism's resistance to unauthorised account re-activation.

How to test

 * 1) Number of unsuccessful logon attempts before lockout
 * 2) How will accounts be unlocked?
 * 3) Manually by an administrator
 * 4) After a period of time. What is the lockout period?

Remediation
Implement CAPTCHA with the account logon page.

Apply account reactivation mechanisms depending on the risk level. In order from lowest to highest assurance:


 * 1) Time-based lockout and reactivation
 * 2) Self-service reactivation (sends reactivation email to registered email address)
 * 3) Manual administrator reactivation
 * 4) Manual administrator reactivation with positive user identification