owasp - Concept regarding authentication -
i need security validation on program, , 1 of things need answer, related authentication is" verify authentication decisions logged, including linear offs , soft-locks."
does knows linear off , soft-locks mean?
thank in advance,
thais.
i doing research on owasp asvs. linear back-of , soft-lock authentication controls used prevent brute force attacks , can against dos. linear back-of can implemented through algorithm blocking user/ip particular time , after every failed login attempt time increase exponentially e.g. first failed login block 5 minute, second failed login block 25 minute 3rd 125 min , on. per understanding have seen in articles , implemented in application oracle weblogic soft lock easier implement, ip address (which think helpful protect against dos , brute force using automated tools) or user name logged in database every failed login attempt , when threshold number of failed login attempts (e.g. 5) block ip address permanently. once account has been soft locked in application runtime, not try validate account credentials against backend system, preventing being permanently locked. asvs verification requirement clear on though. "verify resource governor in place protect against vertical (a single account tested against possible passwords) , horizontal brute forcing (all accounts tested same password e.g. “password1”). correct credential entry should incur no delay. example, if attacker tries brute force accounts single password “password1”, each incorrect attempt incurs linear off (say 5, 25, 125, 625 seconds) soft lock of 15 minutes ip address before being allowed proceed. similar control should in place protect each account, linear off configurable soft lock against user account of 15 minutes before being allowed try again, regardless of source ip address. both these governor mechanisms should active simultaneously protect against diagonal , distributed attacks."
Comments
Post a Comment