According to a helpful Technet article on Microsoft’s website, an ideal number of logni attempts before locking a user out of his or her account is 50.
Mainly to give the user a reasonable number of atempts to log in without having to resort to calling the Help Desk for such a routine, repeatable problem. But for those who don’t have the guts to set the account lockout threshold that high, you can start with as little as 4 max attempts and as much as 10 and see how you like the results. More from Microsoft:
The Account lockout threshold policy setting determines the number of failed logon attempts that will cause a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the number of minutes specified by Account lockout duration expires. You can set a value from 1 through 999 failed logon attempts, or you can specify that the account will never be locked out by setting the value to 0. If Account lockout threshold is set to a number greater than zero, Account lockout duration must be greater than or equal to the value of Reset account lockout counter after.
Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed logons that can be performed nearly eliminates the effectiveness of such attacks.
However, it is important to note that a denial-of-service attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of Account lockout threshold, the attacker could potentially lock out every account.
Because it will not prevent a brute force attack, a value of 0 should only be chosen if both of the following criteria are explicitly met:
- Password Policy settings force all users to have complex passwords made up of eight or more characters.
- A robust auditing mechanism is in place to alert administrators when a series of failed logons are occurring in the environment.
If these criteria cannot be met, set Account lockout threshold to a high enough value that users can accidentally mistype their password several times before they are locked out of their account, but ensure that a brute-force password attack would still lock out the account. It is advisable to specify a value of 50 invalid logon attempts. Keep in mind, however, that although this setting can reduce the number of Help Desk calls by reducing the number of user lockouts, it cannot prevent a denial-of-service attack.
The threshold that you select is a balance between operational efficiency and security, and it depends on your organization’s risk level. To allow for user error and thwart brute force attacks, a setting above 4 and below 10 could be an acceptable starting point for your organization.
- Hydra: Password Cracking Tool (Summary, Tutorial and Resources) (concise-courses.com)
- Vista Login Password reset without having a reset disc. (community.spiceworks.com)
- Apple’s iCloud lock for Macs is not very secure (reviews.cnet.com)
- Why You Should Worry Whenever a Service’s Password Database is Leaked (howtogeek.com)
- Online Dictionary Attack with Hydra (securityorb.com)
- How to manage automatic log-in in OS X (reviews.cnet.com)
- What is Brute Force Cracking Attack?|Cracking HASH password (tech4gizmo.wordpress.com)
- WordPress Security – The Scoop, The Catch, The Solution (sitelock.com)
- Too long passwords can DoS some servers (net-security.org)
- Cracking Zip Password Files (Detailed guide) (hhacktricks.wordpress.com)