AccountLockoutDuration attribute clarification

AMI_Mani
Tuna

AMI

Posts: 178

AccountLockoutDuration attribute clarification Nov 28, 2023 17:55:31 GMT

Quote

Post by AMI_Mani on Nov 28, 2023 17:55:31 GMT

Hi,
If user is setting values like below in account service

"AccountLockoutThreshold": 3,

AccountLockoutDuration: 0

AccountLockoutCounterResetEnabled: true

As per attribute definition of AccountLockoutDuration

"description": "The period of time, in seconds, that an account is locked after the number of failed login attempts reaches the account lockout threshold, within the period between the last failed login attempt and the reset of the lockout threshold counter. If this value is `0`, no lockout will occur. If the AccountLockoutCounterResetEnabled value is `false`, this property is ignored.",

If value is 0, account should not be locked, so in above case we need to throw error invalid username, password if user tries with invalid password, please correct me if I'm wrong

What is the difference between AccountLockoutCounterResetAfter, AccountLockoutDuration attributes?
Both are time period assume if we set below values
AccountLockoutThreshold: 3,
AccountLockoutCounterResetAfter : 10
AccountLockoutDuration : 20

Account will be locked for 20 seconds after failure of login for 3 times, so AccountLockoutCounter value will be 3 and it will be reset to 0 after 10 second, account will be locked for 20 seconds. What is the use of clearing counter in 10 seconds since account is already locked for 20 seconds

Thanks,
Mani

mraineri
Administrator

Posts: 1,132

AccountLockoutDuration attribute clarification Nov 28, 2023 21:20:21 GMT

Quote

Post by mraineri on Nov 28, 2023 21:20:21 GMT

> If value is 0, account should not be locked, so in above case we need to throw error invalid username, password if user tries with invalid password, please correct me if I'm wrong

As stated in other posts, security best practices prefer you do not have specific messages that indicate which portion of the credentials is incorrect. Simply state "Invalid credentials" in the response so a potential attacker does not get hints as to what portion is correct. This also includes cases where the username and password are valid, but the account is locked; still simply state "Invalid credentials" to prevent a potential attacker from inferring a particular state.

> What is the difference between AccountLockoutCounterResetAfter, AccountLockoutDuration attributes?

AccountLockoutCounterResetAfter: This is used to control when to reset the internal "failed login" counter for an account.
AccountLockoutDuration: This is used to control how long an account is locked once it hits the lockout threshold.

So, for example, let's assume there is an account with the username "admin" and password is "password" with the configuration you have above...

Scenario 1: User attempts to log into the service and provides "admin" was the username and "test" as the password twice. At this point the internal failed login counter is at 2. 10 seconds elapse with no further login attempts; the internal counter is reset back to 0. User attempts to log into the service and provides "admin" was the username and "test" as the password twice (again). At this point the internal failed login counter is at 2 (again). Even though the user has four consecutive failed login attempts, because of that 10 second delay between attempts 2 and 3, the failed login counter was reset. The user attempts to log into the service with "admin" and "password", and the login request is successful.

Scenario 2: User attempts to log into the service and provides "admin" was the username and "test" as the password three times. Because we did not reach the 10 second reset timer, the account is now locked for 20 seconds. Even though the failed login counter clears after 10 seconds, the account is still in the locked state for the full duration of the 20 seconds; the locked state is independent of the internal failed login counter.

Last Edit: Nov 28, 2023 21:22:17 GMT by mraineri

AMI_Mani
Tuna

AMI

Posts: 178

AccountLockoutDuration attribute clarification Nov 29, 2023 3:11:05 GMT

Quote

Post by AMI_Mani on Nov 29, 2023 3:11:05 GMT

Nov 28, 2023 21:20:21 GMT mraineri said:

Hi,
Thanks for details and my inline comments

> If value is 0, account should not be locked, so in above case we need to throw error invalid username, password if user tries with invalid password, please correct me if I'm wrong

As stated in other posts, security best practices prefer you do not have specific messages that indicate which portion of the credentials is incorrect. Simply state "Invalid credentials" in the response so a potential attacker does not get hints as to what portion is correct. This also includes cases where the username and password are valid, but the account is locked; still simply state "Invalid credentials" to prevent a potential attacker from inferring a particular state.

Mani: Agreed and giving message as Invalid username or password, User account won't get locked and he can try any number of incorrect password with above settings, please confirm

> What is the difference between AccountLockoutCounterResetAfter, AccountLockoutDuration attributes?

AccountLockoutCounterResetAfter: This is used to control when to reset the internal "failed login" counter for an account.
AccountLockoutDuration: This is used to control how long an account is locked once it hits the lockout threshold.

So, for example, let's assume there is an account with the username "admin" and password is "password" with the configuration you have above...

Scenario 1: User attempts to log into the service and provides "admin" was the username and "test" as the password twice. At this point the internal failed login counter is at 2. 10 seconds elapse with no further login attempts; the internal counter is reset back to 0. User attempts to log into the service and provides "admin" was the username and "test" as the password twice (again). At this point the internal failed login counter is at 2 (again). Even though the user has four consecutive failed login attempts, because of that 10 second delay between attempts 2 and 3, the failed login counter was reset. The user attempts to log into the service with "admin" and "password", and the login request is successful.

Scenario 2: User attempts to log into the service and provides "admin" was the username and "test" as the password three times. Because we did not reach the 10 second reset timer, the account is now locked for 20 seconds. Even though the failed login counter clears after 10 seconds, the account is still in the locked state for the full duration of the 20 seconds; the locked state is independent of the internal failed login counter.

Mani: Got your point. AccountLockoutCounterResetAfter will be useful in Scenario 1 and for Scenario 2 to AccountLockoutCounter can start counting after 20 seconds and it will be in 0 only between 10 to 20 seconds, eventhough user tried any number of invalid login attempts(between 10 to 20 seconds) since user account is already locked.

Thanks,
Mani

mraineri
Administrator

Posts: 1,132

AccountLockoutDuration attribute clarification Nov 29, 2023 13:59:31 GMT

Quote

Post by mraineri on Nov 29, 2023 13:59:31 GMT

> Mani: Agreed and giving message as Invalid username or password, User account won't get locked and he can try any number of incorrect password with above settings, please confirm

Yes, this is correct; the account won't be locked with that particular configuration since AccountLockoutDuration is 0, and when the service receives valid credentials, the user will have access to the service.