Account lockout attack

Revision as of 20:13, 30 May 2009 by Deleted user (Talk | contribs)

Jump to: navigation, search

top [ antivirus+avg ] [ asian bever mr.chews ] [ boss magazine australia ] [ quick heal antivirus free download ] [ gsa auto sales ] [ norton antivirus 2005 cracked ] [ antivirus servers ] [ clearing autocomplete ] [ australian healers dogs ] upstream petroleum australia [ green budgies in australia ] [ deinstalling norton antivirus ] turn off automatic updates xp sp2 panda titanium antivirus reviews [ game cheats grand theft auto ] [ australia hotel restaurant ] [ antique art asian ] site domain [ asia discount europe travel ] [ australian plant pond ] [ auto salvage parts in killeen texas ] [ list of african american inventors and scientists ] index [ australian writers association ] quickheal antivirus software [ animal australia info ] [ public opinion on euthanasia ] [ australiasian college of dermatologists ] [ volunteer africa wildlife ] [ 3 academy fantasia lagu lirik ] [ per antivirus 9.10 ] [ symantec antivirus corporate edition v9.0.3 ] [ etv news south africa ] map [ grissoft antivirus ] [ pc cillin internet security 2004 5bantivirus firewall spam ] [ africa colonialism effects in ] [ literary autobiography 1994 infant prodigy ] [ real estate newcastle australia ] [ nortan antivirus 2004 serial ] [ baswana africa ] asia cafe rosslyn [ symbian antivirus software ] [ norton antivirus 2006 does not support the repair feature ] [ australian tcf industries and globalisation on jobs ] [ bl asian ] [ autobedrijf ]

This is an Attack. To view all attacks, please see the Attack Category page.

Last revision (mm/dd/yy): 05/30/2009


In an account lockout attack, the attacker attempts to lock out all user accounts, typically by failing login more times than the threshold defined by the authentication system. For example, if users are locked out of their accounts after three failed login attempts, an attacker can lock out their account for them simply by failing login three times. This attack can result in a large scale denial of service attack if all user accounts are locked out, especially if the amount of work required to reset the accounts is signficant.

Risk Factors



eBay attack

Account lockout attacks are used to exploit authentication systems that are susceptible to denial of service. A famous example of this type of attack is eBay's. eBay used to display the user id of the highest bidder (in the meantime they changed their way of working). In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place a counter bid because they would be locked out. Thus an attacker could win the auction.

Related Threat Agents

Related Attacks

Related Vulnerabilities


Related Controls