Account lockout attack

Revision as of 07:33, 4 August 2008 by KirstenS (Talk | contribs)

Jump to: navigation, search
This is an Attack. To view all attacks, please see the Attack Category page.

Last revision (mm/dd/yy): 08/4/2008


In an account lockout attack, the attacker attempts to lock out all user accounts, typically by failing login more times than the threshold defined by the authentication system. For example, if users are locked out of their accounts after three failed login attempts, an attacker can lock out their account for them simply by failing login three times. This attack can result in a large scale denial of service attack if all user accounts are locked out, especially if the amount of work required to reset the accounts is signficant.

Risk Factors


eBay's attack

Account lockout attacks are used to exploit authentication systems that are susceptible to denial of service. A famous example of this type of attack is eBay's. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place a counter bid because they would be locked out. Thus an attacker could win the auction.

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

Build an authentication mechanism, which will block account after N tries for a given IP address, from which log in attempt was conducted.

To minimize the possibility of blocking an owner's account we may take under consideration other characteristics like User-Agent or X_FORWARDED_FOR (if it's present).

Moreover, after N login attempts, but before blocking the account, we may include additional verification by comparing data entered by the user and data displayed to him/her on the picture (CAPTCHA).

Such approach should slow down, limit log in attempts only to the valid user or even prevent conducting unwanted attempts generally.