I guess the original thinking behind this was to stop people who were trying to guess your password by manually typing it in from a keyboard. The lockout would convince them to stop trying. Now that most attacks of this fashion are automated or offline, the duration probably isn't a factor.
So yes, I'd agree, if one minute can stop a manual attacker from trying and convince them to move on to something more constructive, the lockout duration has done its job. However as others have said I'd be interested in hearing some of our more security-minded experts chiming in with some insight. On 17 February 2012 13:26, Sean Rector <[email protected]> wrote: > I’d love to hear from the InfoSec peeps on this too – I currently have the > lockout set at 30 minutes. I’m seriously considering dropping it down to 5. > **** > > ** ** > > Sean Rector, MCSE**** > > ** ** > > *From:* Harry Singh [mailto:[email protected]] > *Sent:* Thursday, February 16, 2012 8:16 PM > > *To:* NT System Admin Issues > *Subject:* Re: Self-Service Account Unlock**** > > ** ** > > 500+ users here and am a big fan of account lockout durations of less than > 5 minutes. Our annual security assessment advisor didn't like that very > much, for reasons i'm still attempting to figure out. I've read several > pieces of documentation suggesting keeping the lockout duration to even > about 1 minute would be secure, but I'm far from an info sec expert. I'm > eager to hear from the folks on this list who disagree with the lockout > duration being set to anything higher than 5 minutes (for arguments sake). > **** > > ** ** > > Harry.**** > > ** ** > > On Thu, Feb 16, 2012 at 7:22 PM, Kurt Buff <[email protected]> wrote:*** > * > > Well, since you're that understaffed, I'd personally set the timeout > to 5 minutes, and let the students deal with it. I say that wearing my > BOFH hat, but I don't think that it's all that unreasonable.**** > > > On Thu, Feb 16, 2012 at 14:50, Blackman, Woody <[email protected]> > wrote: > > Well, in an academic environment, we have 35,000 students per semester > using about 2,000 resources (computers in labs) and about 6 people per > shift to "help" them. They need access and we need automation/self-service > wherever there is opportunity. > > > > -----Original Message----- > > From: Kurt Buff [mailto:[email protected]]**** > > > Sent: Thursday, February 16, 2012 2:37 PM > > > To: NT System Admin Issues**** > > > Subject: Re: Self-Service Account Unlock > > > > > So, I have some questions regarding this: > > > > What is the rush on the part of the end user to have this done? They > can't wait 5 or 10 minutes for the unlock to happen automagically? > > > > How often do account lockouts happen that this is something worth > spending time and money on a solution? > > > > Frankly, with my user base of about 250 staff, I consider it unusual to > get as many as three requests in a month for account unlocks. > > > > Kurt > > > > On Thu, Feb 16, 2012 at 10:44, Sean Rector <[email protected]> > wrote:**** > > >> I’ve been looking through the multitude of options, but they all seem > >> to be web-portal-based. Is there one that puts the Unlock option on > >> the Logon Screen? > >> > >> > >> > >> My point is – what’s the use of a web-portal version when they can’t > >> log on to their machine? A kiosk-type user account doesn’t seem the > >> safest route to go. > >> > >> > >> > >> Sean Rector, MCSE > >> > >> > >> > >> Information Technology Manager > >> Virginia Opera Association > >> > >> E-Mail: [email protected] > >> Phone: (757) 213-4548 (direct line) {+} > >> > >> Tickets and Subscriptions On Sale Now! > >> Orphée | The Mikado > >> Visit us online at www.VaOpera.org or call 1-866-OPERA-VA > >> > >> Experience the Beauty, Power & Passion of Virginia Opera. > >> > >> ________________________________ > >> > >> This e-mail and any attached files are confidential and intended > >> solely for the intended recipient(s). Unless otherwise specified, > >> persons unnamed as recipients may not read, distribute, copy or alter > >> this e-mail. Any views or opinions expressed in this e-mail belong to > >> the author and may not necessarily represent those of Virginia Opera. > >> Although precautions have been taken to ensure no viruses are present, > >> Virginia Opera cannot accept responsibility for any loss or damage > >> that may arise from the use of this e-mail or attachments. > >> > >> {*} > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > >> http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to [email protected] > >> with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ****** IMPORTANT INFORMATION/DISCLAIMER ***** This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can't use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress...... * * The originator of this email is not liable for the transmission of the information contained in this communication. Or are they? Either way it's a pretty dull legal query and frankly one I'm not going to dwell on. But should you have nothing better to do, please feel free to ruminate on it, and please pass on any concrete conclusions should you find them. However, if you pass them on via email, be sure to include a disclaimer regarding liability for transmission. * * In the event that the originator did not send this email to you, then please return it to us and attach a scanned-in picture of your mother's brother's wife wearing nothing but a kangaroo suit, and we will immediately refund you exactly half of what you paid for the can of Whiskas you bought when you went to Pets** ** At Home yesterday. * * We take no responsibility for non-receipt of this email because we are running Exchange 5.5 and everyone knows how glitchy that can be. In the event that you do get this message then please note that we take no responsibility for that either. Nor will we accept any liability, tacit or implied, for any damage you may or may not incur as a result of receiving, or not, as the case may be, from time to time, notwithstanding all liabilities implied or otherwise, ummm, hell, where was I...umm, no matter what happens, it is NOT, and NEVER WILL BE, OUR FAULT! * * The comments and opinions expressed herein are my own and NOT those of my employer, who, if he knew I was sending emails and surfing the seamier side of the Internet, would cut off my manhood and feed it to me for afternoon tea. * ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
