We are taking a break from posting progress on our data breach report to discuss a security feature, password lockout. It is employed to discourage password guessing attacks. An added layer of security is good to protect against bad actors, but are there drawbacks?
Most of us have probably experienced this feature by forgetting our password. If you are unfamiliar, a password lockout allows a limited number of attempts to enter the correct password in a period of time. Once the threshold is exceeded, the account is locked from any further attempts until something else happens, either a set amount of time passes, or authentication is achieved in another way. Sometimes a locked-out user can gain immediate access through an identification and verification process, usually involving two-factor authentication. There could be an even stricter policy that requires an administrator to unlock the account.
Password lockout is meant to prevent brute force attacks, where hackers try a high number of password combinations to gain unauthorized access, but brute force is generally not the preferred method. As the name suggests, brute force password attempts are time consuming and inelegant. They are also easy to detect and hard to disguise. A better method to gain access is to invest the effort to steal the file of encrypted passwords from a target system and then on another computer invest the time to unlock the encryption to see all of the passwords. The hacker can then gain access to any user's data and the lockout tool has no effect in stopping them. For example, instead of breaking into a house and trying to crack a safe on-site, you steal the safe and take your time opening it in your own lair. There is a lower risk of getting caught. Yes, a password lockout could prevent a brute force attack, but it is unlikely a hacker would waste time with this method.
One drawback of password lockout is the possibility of a denial of service attack. A bad actor could run a cracking script on all of the institution's accounts at once. Hitting the password lockout threshold on everyone's account could be highly problematic in a healthcare institution, especially if the only way to unlock the passwords requires going through an administrator. It could take hours to resolve.
Password lockouts end up locking legitimate users out far more often than they do hackers. This is especially true if policies require a periodic changing of passwords. A busy clinician may be using several pieces of software throughout the day, making passwords easy to temporarily forget, especially under the pressure of a hectic day. If they forget a password and get locked out, the process and time penalty to regain access may seem like an eternity, and in some cases could be a patient safety issue.
At a minimum, the standard threshold should be higher than 10 attempts. If the account owner had 20 tries to remember their password, they are probably going to remember it before getting locked out or give up and reset it to something they can remember. It is extremely unlikely for a hacker to guess a password in 20 tries. In theory, password lockouts could be adjusted to have different thresholds in different circumstances. After the fog of a long vacation, there is a good chance a person could need a few extra guesses to remember which year they adopted their dog or cat. Maybe the password lockout needs to be set with a higher threshold after a longer period of inactivity.
Do you find password lockout to be a helpful or hindering feature?