Login failure policy concepts

The login failure ("three strikes") policy, available for ISAM installations using an LDAP-based user registry, enables us to specify a maximum number of failed login attempts (n) and a penalty lockout time (x), such that after "n" failed login attempts a user is locked out for "x" seconds (or, alternatively, the account is disabled).

The login failure policy can help prevent computer password attacks. The policy creates a condition where a user must wait a period of time before making additional login attempts. For example, a policy could dictate 3 failed attempts followed by a 180 second lockout penalty. This type of login policy can prevent random computer-generated login attempts that occur many times a second.

The login failure policy requires the joint contribution of two policy settings:

• Maximum number of failed login attempts:

  max-login-failures

• Penalty for reaching or exceeding the failed login attempt setting:

  disable-time-interval

  The penalty setting can include a temporary account lockout time interval or a complete disabling of the account.

WebSEAL returns a server response error page (acct_locked.html) that notifies the user of the penalty. The late-lockout-notification stanza entry in the [server] stanza of the WebSEAL configuration file specifies whether this notification occurs when the user reaches the max-login-failures limit, or at the next login attempt after reaching the limit.

See also Removal of a user session at login failure policy limit.

Parent topic: Login failure policy ("three strikes" login policy)