Account lockout policies are commonplace throughout the internet. Account lockout occurs when a user fails to enter the correct password multiple times in a row and the account locks. An account lockout policy simply states the number of failed sign-in attempts before the user will be locked out and what happens when they are locked out.
Account Lockout Policy Best Practices
- Set the account lockout threshold. How many tries will you allow before a user is locked out? Three is an average amount of tries.
- Set the account lockout duration. Set any time in minutes that the account can be locked out. This can also increase after the timer resets if the user fails to enter a correct password again. This is often one minute but can range up to 15 minutes. Alternatively, you can set lockout to be indefinite until a user gets help from an IT administrator.
- Set a strong password policy. An account lockout policy works best when accompanied by a strong password policy that will ensure users set difficult-to-guess passwords in the first place. The password policy may also include how those passwords are stored and shared, to ensure they stay safe.
- Communicate the policy with employees. Make sure your employees are well-informed on the policy and trained on password best practices like rotating passwords and encrypted password storage (not a sticky note on your desktop!)
Why are Account Lockout Policies Put into Place?
An account lockout policy is a good security practice as it helps protect against brute force attacks. This is a type of attack where a hacker will submit many random passwords with the idea of eventually guessing correctly. If you have a lockout threshold, hackers have significantly less chance to make a brute attack successful.
Most services, like Microsoft, have an account lockout policy for their users. But, every organization, regardless of size or industry, should have an account lockout policy if they want to keep their networks and private information secure.
However, you don’t want your policy to be too strict, otherwise, you will get overwhelmed with calls to IT! Studies show that account lockouts are one of the top reasons employees contact IT support. Setting an account lockout policy that balances security and usability will be a discussion you need to have with IT.
What Causes Account Lockout?
Account lockout is a common problem, and the most common causes are the:
- User has forgotten their password
- User reset their password on a new device, and cannot access with the old device
- User trying to access account on multiple devices (if the policy only allows one login at once)
- User automated tasks with old credentials
What Happens after Account Lockout?
Often, account lockout will require resetting a password. Sometimes, it will just restrict access for a certain period of time – called the account lockout duration. The account lockout duration can last anywhere from one minute to 99,999 minutes (although, there probably isn’t much need to lock someone out for nearly 70 days). However, it can also require an admin password to regain access, depending on how strict the account lockout policy is.
In Conclusion – What is an Account Lockout Policy?
Account lockout policies state the number of failed sign-in attempts before the user will be locked out. It also details what happens when they are locked out and how they can regain access. Account lockout occurs when a user fails to enter the correct password multiple times in a row and the account locks. Account lockout policies are important for your website’s protection. They’re also important for usability, so that your site’s users know what to do in case they are locked out.
Free Security and Risk Assessment
Need help developing an account lockout policy and other security policies? Get a Free Security & Risk Assessment to see where your business is vulnerable to cybercriminals and what next steps you can take. We also offer complete managed IT services for businesses.
Contact us today: