Failed Login Policy Question

[thunder04]

Hey All,

I'm trying to decide on the best settings for the Failed Login Policy (we've been running Zimbra for 3+ years and have yet to enable this!) and I have a question about functionality.

Let's say I configure the following settings:

Number of consecutive failed logins allowed: 5
Time to lockout the account: 1 hour
Time window in which the failed logins must occur to lock the account: 24 hours

If a user fails to log in 3 times, but is successful the 4th time, does this mean they will only have two more attempts within the 24 hour period, or does the 24 hour window "reset" with a successful login?

Thanks in advance for any help!

[LMStone]

Quote:

Originally Posted by thunder04

Hey All,

I'm trying to decide on the best settings for the Failed Login Policy (we've been running Zimbra for 3+ years and have yet to enable this!) and I have a question about functionality.

Let's say I configure the following settings:

Number of consecutive failed logins allowed: 5
Time to lockout the account: 1 hour
Time window in which the failed logins must occur to lock the account: 24 hours

If a user fails to log in 3 times, but is successful the 4th time, does this mean they will only have two more attempts within the 24 hour period, or does the 24 hour window "reset" with a successful login?

Thanks in advance for any help!

I'd shorten the time window to something like 15-30 minutes or so. The policy is really designed to protect a mailbox from an automated password-guessing attack.

We also implement forced password rotations, and limited password history reuse.

If you Google for HIPAA-compliant password policies you'll some good examples you can replicate, along with justification for management who may resist the perceived inconvenience from implementing these kinds of policies.

Hope that helps,
Mark

[thunder04]

The values provided were simply to be an example.

My true question is: How does the "Time window in which the failed logins must occur to lock the account:" work?

Does a successful login reset the "Time window in which the failed logins must occur to lock the account"?

If I attempt to log in and fail 3 times, but am successful the 4th time, do I still have 3 less tries to log in? Or do my "attempts remaining" reset since I've successfully logged in?

If I've locked my account due to reaching maximum failed logins, wait for my account to become unlocked but am still within the "Time window in which the failed logins must ocurr..." window, and attempt to log in again....will I only be allowed one attempt? Or, since my account was unlocked, does this reset my "attempts remaining" to log in?

Perhaps I should stop over-thinking it (though I'd love to understand how it works) and simply ask...what are folks out there setting these to and why?

[LMStone]

Quote:

Originally Posted by thunder04

The values provided were simply to be an example.

Thanks for clarifying.

Quote:

Originally Posted by thunder04

My true question is: How does the "Time window in which the failed logins must occur to lock the account:" work?

Does a successful login reset the "Time window in which the failed logins must occur to lock the account"?

That it my understanding, but we have not tested it formally.

Quote:

Originally Posted by thunder04

If I attempt to log in and fail 3 times, but am successful the 4th time, do I still have 3 less tries to log in? Or do my "attempts remaining" reset since I've successfully logged in?

Our understanding is that the failed-attempts counter is reset upon a successful login, but again, we have not tested this formally. We have however seen a greater number of failed login attempts within the set time from different devices. For example, the user gets prompted to change their Zimbra password at work and does so successfully, but their iPad and ZDesktop at home are still attempting to log in with their old password.

Quote:

Originally Posted by thunder04

If I've locked my account due to reaching maximum failed logins, wait for my account to become unlocked but am still within the "Time window in which the failed logins must ocurr..." window, and attempt to log in again....will I only be allowed one attempt? Or, since my account was unlocked, does this reset my "attempts remaining" to log in?

As above, our understanding is that any successful login essentially resets everything.

Quote:

Originally Posted by thunder04

Perhaps I should stop over-thinking it (though I'd love to understand how it works) and simply ask...what are folks out there setting these to and why?

Good idea! ;-)

We allow eight failed login attempts within a 15-minute window and log out the user for an hour.

We also make use of the script zmauditwatch; see page 198 in the latest Administrator's Guide.

Hope that helps,
Mark