Password and Account Lockout Better Practices

OWASP Podcast Episode 76 with Bill Cheswick is a great discussion about using passwords for authentication and how account lockout affects both usability and user support costs.

I can't recommend the OWASP Podcasts highly enough—Jim Manico's efforts combined with some guest hosts provide a steady stream of fascinating insights from application security experts. In Episode 76, Matt Tesauro interviewed Bill Cheswick (AT&T Labs) following his keynote at OWASP AppSec US 2010.

I recently mentioned password economics and use of popular passwords, and in both of those there is a common theme that password strength alone is not a sufficient measure of authentication security. Bill Cheswick gives a lively discussion of why passwords are often a "pain in the neck" and why they don't have to be like this; in fact "more fun, safer and easier".

He said users are not facing dictionary attacks on the passwords. Instead, they have to deal with key stroke loggers and phishing sites where it doesn't matter how complex your password is, and site owners should consider:

• account lockout after something like 3, 4 or 5 incorrect guesses
• use of a short lockout period
• ensuring that duplicate errors (e.g. typing the same incorrect guess more than once) don't count against the lockout threshold
• allow previously agreed trusted users (e.g. parents, spouses, teacher, carers, someone with power of attorney) to vouch for each other and allow them to create a password reset
• make usernames hard to guess/find
• use a standard authentication service so the logic does not have to be built again each time for new projects.

I would also add "allowing users to optionally view the password as they type", or at least view the last few characters, if they are in a safer location and are not being overlooked.