You Have Three Tries Before Lockout - Why Three?
Authors: Karen Renaud, Rosanne English, T. Wynne, F. Weber

Date: July 8 2014
Publication: Proceedings of the 8th International Symposium on Human Aspects of Information Security (HAISA 2014)
Page(s): 101 - 111
Publisher: Plymouth University
Source 1: https://scholar.google.com/scholar?oi=bibs&cluster=14992826223777095326&btnI=1&hl=en
Source 2: https://www.cscan.org/?page=openaccess&eid=15&id=236

Abstract or Summary:
It is considered good practice to lock users out if they enter the wrong password three times. This is applied almost universally by systems across the globe. Three tries is probably considered a good balance between allowing the legitimate user to make some genuine errors and foiling an attacker. It must be acknowledged that this rule makes sense intuitively yet there is no empirical evidence that three tries is the most efficacious number. It is entirely possible that the number should not be three, but some other number, such as five or even seven. It is very hard to test this since attempts could be either a legitimate user attempting to recall his/her password, or an intruder trying to breach the account. If an attacker is allowed more attempts one could imagine the system’s security being compromised. Here we argue for the use of a simulation engine to test the effects of such password-related security measures on the security of the entire eco-system. A simulation approach expedites no-risk empirical testing. We use a simulator called SimPass which models both user password-related behaviour and potential password-based attacks from within and outside an organization. We will firstly validate SimPass’s output by quantifying the security impact of increasing the prevalence of password sharing. This kind of behaviour has predictable results, since increased sharing will inevitably lead to more use of others’ credentials. Having shown that SimPass produces credible results, we then test different settings for locking of accounts after a certain number of failed authentication attempts to determine the optimal setting. We find that a three times lockout policy might well be too stringent.



Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index





[Home] [About Us] [News] [Research]

Copyright © 2019 PasswordResearch.com