Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The designer will ensure users’ accounts are locked after three consecutive unsuccessful logon attempts within one hour.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-16800 | APP3390 | SV-17800r1_rule | ECLO-1 ECLO-2 | High |
| Description |
|---|
| If user accounts are not locked after a set number of unsuccessful logins, attackers can infinitely retry user password combinations providing immediate access to the application. |
| STIG | Date |
|---|---|
| Application Security and Development STIG | 2014-04-03 |
Details
| Check Text ( C-17796r1_chk ) |
|---|
| Ask the application representative to demonstrate the application locks a user account if a user enters a password incorrectly more than three times in a 60 minute period. 1) If the account is not disabled, it is a finding. |
| Fix Text (F-17069r1_fix) |
|---|
| Lock user accounts after three consecutive unsuccessful logon attempts within one hour. |