The designer will ensure users’ accounts are locked after three consecutive unsuccessful logon attempts within one hour.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-16800 | APP3390 | SV-17800r1_rule | ECLO-1 ECLO-2 | High |
| Description |
|---|
| If user accounts are not locked after a set number of unsuccessful logins, attackers can infinitely retry user password combinations providing immediate access to the application. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-17796r1_chk ) |
|---|
| Ask the application representative to demonstrate the application locks a user account if a user enters a password incorrectly more than three times in a 60 minute period. 1) If the account is not disabled, it is a finding. |
| Fix Text (F-17069r1_fix) |
|---|
| Lock user accounts after three consecutive unsuccessful logon attempts within one hour. |