Account lockout attack

From OWASP
Revision as of 16:23, 12 June 2006 by Jeff Williams (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This is an Attack. To view all attacks, please see the Attack Category page.


This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.


What is a Account lockout attack?

In an account lockout attack, the attacker attempts to lockout all user accounts, typically by failing login more times than the threshold defined by the authentication system. For example, if users are locked out of their accounts after three failed login attempts, an attacker can lock out their account for them simply by failing login three times. This attack can result in a large scale denial of service attack if all user accounts are locked out, especially if the amount of work required to reset the accounts is signficant.

Common uses of the attack technique

Account lockout attacks are used to exploit authentication systems that are susceptible to denial of service.

Related vulnerabilities

Related countermeasures