- How many of you enable account lockouts?
- What's the purpose of the lockout?
- Do you have strong password strength rules that are enforced?
- What's the purpose of the strong password strength rules?
- Do you monitor login fail/succeed entries?
- What's the purpose of monitoring login attempts?
- Do you notify an offending site that they're attacking you?
- How long is the lockout period? Minutes? Days?
- How long does it take to reset the account?
So, what's the problem? Suppose my attack is simply to lock out all of the accounts on the target. In the Unix world, a good sysadmin would prevent remote root logins and use the su and sudo commands to switch into root mode. An account lockout on their account would force them to drive to their operations center and physically walk up to the server to log in as root. An attacker could take advantage of this time delay to launch their attack. This happened to me back in 1997.
Back in the old days of Unix (late 80's-early 90's), Unix did not have password strength controls built into the OS. There were tools like npasswd, passwd+ that allowed such control but you had to build the commands manually. The absence of such controls left account lockouts as the only viable defense against a brute force password attack.
Nowadays, password strength rules enforcement is built into the OS usually in the form of PAM modules. The admin has a wide variety of builtin tools to mitigate brute force password attacks.
One of the things I always ask my admins is "does the security control introduce a worse problem than what we're trying to solve?" I believe account lockouts do just that. A massive DOS attack against your user base is worse than someone brute forcing their way into an account. Your password strength rules, log monitoring, notifying remote sites provide adequate defenses against a brute force attack. IMHO, account lockouts are an archaic solution to the problem. It's what I call an "inherited security solution". It was in an 1st edition security book and left in there with each new security book without realizing other controls are better.
IT Audit checklist will usually flag the lack of a lockout strategy as an audit item. It's time to update those checklists.