Skip to main content

Avoid account lockouts


The system must never block a user account after one or several failed authentication attempts.


Account blocking is a double-edged sword if an attacker is trying to guess an account password and if it is blocked on the third attempt, the account is useless, even for the original owner. Extrapolating this case to an attack on all users, a high impact on availability would be generated if the accounts are blocked. The recommendation is to set different controls, for example, a captcha on the third attempt, and if the system does not support captcha, resort to incremental delays before each authentication attempt. This mitigates the risk of brute force attacks (which is what the block is intended to do) and does not generate unavailability.

Supported In

This requirement is verified in following services




free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.