In 2014, we launched our open-access repository which offers full text access to conference proceedings from many of our events including the INC and HAISA series. These papers are free to access and distribute (subject to citing the source).
Eighth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2014)
Title: You Have Three Tries Before Lockout. Why Three?
Author(s): Karen Renaud, Rosanne English, Thomas Wynne, Florian Weber
Keywords: Simulation, Passwords, Security Policies
Abstract: It is considered good practice to lock users out if they enter the wrong password three times. This is applied almost universally by systems across the globe. Three tries is probably considered a good balance between allowing the legitimate user to make some genuine errors and foiling an attacker. It must be acknowledged that this rule makes sense intuitively yet there is no empirical evidence that three tries is the most efficacious number. It is entirely possible that the number should not be three, but some other number, such as five or even seven. It is very hard to test this since attempts could be either a legitimate user attempting to recall his/her password, or an intruder trying to breach the account. If an attacker is allowed more attempts one could imagine the system’s security being compromised. Here we argue for the use of a simulation engine to test the effects of such password-related security measures on the security of the entire eco-system. A simulation approach expedites no-risk empirical testing. We use a simulator called SimPass which models both user password-related behaviour and potential password-based attacks from within and outside an organization. We will firstly validate SimPass’s output by quantifying the security impact of increasing the prevalence of password sharing. This kind of behaviour has predictable results, since increased sharing will inevitably lead to more use of others’ credentials. Having shown that SimPass produces credible results, we then test different settings for locking of accounts after a certain number of failed authentication attempts to determine the optimal setting. We find that a three times lockout policy might well be too stringent.
Download count: 1550
How to get this paper:
PDF copy of this paper is free to download. You may distribute this copy providing you cite this page as the source.