CWE - CWE-645: Overly Restrictive Account Lockout Mechanism (1.1)

Home > CWE List > CWE- Individual Dictionary Definition (1.1)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-645: Overly Restrictive Account Lockout Mechanism

Individual Definition in a New Window

Overly Restrictive Account Lockout Mechanism

Status: Incomplete

Weakness ID: 645 (Weakness Base)

Description

Summary

The software contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily. This allows attackers to deny service to legitimate users by causing their accounts to be locked out.

Extended Description

Account lockout is a security feature often present in applications as a countermeasure to the brute force attack on the password based authentication mechanism of the system. After a certain number of failed login attempts, the users' account may be disabled for a certain period of time or until it is unlocked by an administrator. Other security events may also possibly trigger account lockout. However, an attacker may use this very security feature to deny service to legitimate system users. It is therefore important to ensure that the account lockout security mechanism is not overly restrictive.

Likelihood of Exploit

High

Common Consequences

Availability

Users could be locked out of accounts.

Enabling Factors for Exploitation

The system has an account lockout mechanism.

An attacker must be able to trigger the account lockout mechanism.

The cost to the attacker of triggering the account lockout mechanism should be less than the cost to re-enable the account.

Potential Mitigations

Implement more intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.

Implement a lockout timeout that grows as the number of incorrect login attempts goes up, eventually resulting in a complete lockout.

Consider alternatives to account lockout that would still be effective against password brute force attacks, such as presenting the user machine with a puzzle to solve (makes it do some computation).

Observed Examples

Description

A famous example of this type an attack is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	287	Insufficient Authentication	Development Concepts (primary)699 Research Concepts (primary)1000

Applicable Platforms

Languages

All

Time of Introduction

Architecture and Design

Content History

Modifications

CWE Content Team. MITRE. 2008-09-08. (Internal)

updated Common_Consequences, Enabling_Factors_for_Exploitation, Relationships

CWE Content Team. MITRE. 2008-10-14. (Internal)

updated Description

Page Last Updated: November 24, 2008


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us