Why is password lockout an effective deterrent to cracking attempts?
A.
Passwords cannot be changed through brute-force methods
B.
A limited number of login attempts before lockout reduces the number of guesses the potential cracker can made
C.
Passwords protected in this manner are impossible to find because they are locked out of the main flow of information on the WAN
D.
Password lockout provides no real improvement over traditional locking methods.
Explanation:
Password lockout is where the user account is locked out and disabled after a specified number of consecutive incorrect password attempts. The duration of the lockout can be a time period, or until an administrator goes in and manually re-enables the account. Usually a time period is used to reduce administration. In either case this reduces the guesses. For example, suppose we set a lockout so that a lockout occurs after 3 failures, and then automatically remove the lockout after 20 minutes. This provides a maximum of 9 failures per hour, or 216 passwords per day. Without lockout, on a fast system, a hacker could probably run thousands of guesses per hour, so password lockout introduces a substantial speed bump to the cracking process.
Incorrect Answers:
A: Password lockout does not affect password changing, unless the account requires the original password to make the change. At this point the hacker already has the password, because entry to the account has already occurred.
C: Whether passwords are in the clear, or encrypted, lockout does not protect the actual password as it flows through the system. Password lockout acts as a governor on attempts to use brute force to guess the actual password. No one is looking for the actual passwords as they flow through the WAN, this is eavesdropping such as sniffing or snooping, and password lockout is not a solution for that type of problem.
D: Password locking is highly effective.