H3-2021-0027¶

Weak Account Lockout Threshold

Description¶

The account lockout threshold defines the number of failed logins that will cause a user's account to be locked. The account lockout threshold is either too high or not set at all.

Impact¶

A weak account lockout threshold makes it easier for attackers to brute force user passwords. In the event no lockout threshold is set, an attacker can try an unlimited number of passwords against all users with the hope of eventually being successful.

References¶

• Account Lockout Threshold
• Set the Account Lockout Threshold to the Recommended Value
• MITRE ATT&CK Technique: T1110.001: Brute Force: Password Guessing