An interesting debate pops up from time to time. From a security stand point, it is generally a good idea to lock out an account if there are too many failed log in attempts. This is done to prevent a dictionary or brute force attack. You disable the account to prevent the password from being leaked.
Lets go into a data center now. You have a website that connects to a database. The account the website uses to connect to the database is protected with a username and password. This begs the question, do you enforce the same lock out rules for this database account?
Based on the first paragraph, it seems obvious that for security purposes you should lock out the ID. If you lock out the ID, then your website goes down! That is called a denial of service attack. It now becomes incredibly simple to lock out the ID and force a website to be down. Conversely, you have to prevent brute force or dictionary attacks.
To wrap up, you might want to have a password lockout policy for database users for security reasons, but you may NOT want to have a password lockout policy for database users for security reasons.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.