Is displaying remaining password retry count a security risk?












4















Some websites display a remaining password retry count when I input wrong passwords more than twice. For example, displaying that there are 3 retries remaining until locking out my account. Is this dangerous from security perspective ?










share|improve this question





























    4















    Some websites display a remaining password retry count when I input wrong passwords more than twice. For example, displaying that there are 3 retries remaining until locking out my account. Is this dangerous from security perspective ?










    share|improve this question



























      4












      4








      4








      Some websites display a remaining password retry count when I input wrong passwords more than twice. For example, displaying that there are 3 retries remaining until locking out my account. Is this dangerous from security perspective ?










      share|improve this question
















      Some websites display a remaining password retry count when I input wrong passwords more than twice. For example, displaying that there are 3 retries remaining until locking out my account. Is this dangerous from security perspective ?







      authentication password-policy account-security






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 5 hours ago









      Snappie

      297126




      297126










      asked 6 hours ago









      Ahmet ArslanAhmet Arslan

      1313




      1313






















          6 Answers
          6






          active

          oldest

          votes


















          7














          It depends on your lockout mechanism. If invalid logins get reset after some time AND a locked account does not get unlocked, showing a counter can help an attacker not to lock out an account. But a skilled attacker will have determined the lockout policy up front and will take this into account when guessing the password. So the impact is limited.



          Also, relying on this to protect your login mechanism is missing the point. You should have a decent password policy and a lockout policy to match. If the password policy is strong, an attacker will have to guess 1000s of times before getting it right. If you lock an account after 20 attempts, you have little chance of getting compromised.



          You must ask yourself: what is the benefit of showing this information to a genuine user? Often, this problems with lockout occurs because the number of tries is set too low. 3 or 5 are common choices. NIST (Currently unavailable due to government shutdown so no direct reference yet) suggests less than 100 attempts.



          NIST has a point: think of a password which no attacker will guess in 3 attempts, but which they will guess in 100 attempts. All attackers use different dictionaries and approaches. If a password is unsafe to withstand 100 guesses it can also be breached using fewer attempts - although that is less likely. Therefore a good password policy is a must.



          I will add the NIST references when the site comes back up. Troy hunt has some good blog posts which summarize password and login mechanisms. He is a fan of the NIST guidelines as well.






          share|improve this answer

































            1














            Only two scenario is possible with it but rather showing account lockout time policy risk is more over lockout time.



            E.g.




            • once can configure the hydra or some other tool to brute force the login and wait after 3 attempts. if you don't have sufficient locking time it can cause an account compromise.


            • if you have 30 mins or so locking time then its though we can configure the tool for brute force and wait after three attempts it will take years to crack the password.



            to conclude this their no risk involve in displaying account lockout attempt.






            share|improve this answer































              0














              I lean in general towards the less information you give to an attacker the better. As @security-beast mentioned a tool can be configured to wait the appropriate amount of time. Giving them the information for that configuration is not necessarily ideal.



              However, you have to balance this with the needs of your users. Do you find that the system admins spend an inordinate amount of time unlocking accounts because your users keep locking them? If that's the case then your analysis may indicate that you get more benefit from displaying the number of retries to your users so they know when they need to wait before locking their accounts. In other cases the opposite will be true, but either way the answer should be the result of an objective analysis of the trade-offs for the particular system.



              Hope this helps.






              share|improve this answer
























              • I hadn't seen Silver's comment when I posted, but I would second the NIST guidelines as a good base to start with.

                – jfran3
                5 hours ago



















              0














              Based on the information provided we can't really answer this question. The frontend can display whatever developers want you to see and it has nothing to do with the security. How would you for a fact know that your account is locked on the backend? What does lock mean in this scope? There is an infinite number of possible configurations on the backend. If you design a system with this feature as an absolute must, then I'm sure there is a safe way of implementing it.






              share|improve this answer































                0














                Security Risk is subjective it will depend on what you are trying to protect the objective of the security control and any other security control in place that mitigate or compensate the risk.



                Based on this different companies / business will have different acceptance to same risk.



                If in a generic way providing how many attempts your still have might not impose a risk (e.g.: PIN in your smart card to make phone calls)
                In other situations it might be a risk (e.g.: trying to brute force mobile phone access) where you can stop before the last attempt and wait some time so the user resets the counter with a valid access...



                You should check on the objective of the security control, what you are trying to protect and what security controls you have in place that will compensate or at least monitor abnormal situations.



                Based on all this then you can decide if it is an acceptable risk or not for your specifics.






                share|improve this answer































                  0














                  To give another perspective on this: it doesn't matter for a skilled attacker.



                  How are online accounts compromised today typically1? There are two variations of one technique that are commonly used.



                  Databases with password hashes (or passwords in plaintext) get stolen and are cracked offline by attackers. After successfully cracking a hash the correct password is served to the login mechanism on the first try, so this control is ineffective.



                  This can either be the database of the service in question or the database of another service. Unfortunately people tend to reuse their passwords with several services so chances are high, that once a password is matched to an e-mail adress, it can be used on another site. An attacker might have two or three passwords to choose from, but probably not 20. Again, this control is ineffective.



                  So what level of security does this control establish? The level that is necessary to protect from inexperienced script kiddies, malicious ex-partners and nosy parents that want to take a look at your personal account and try five passwords at random. No more, but no less.





                  1 Then there are of course other techniques that are more "advanced" like keylogging, (spear)-phishing, MitM etc. which are as well not mitigated by this control.






                  share|improve this answer























                    Your Answer








                    StackExchange.ready(function() {
                    var channelOptions = {
                    tags: "".split(" "),
                    id: "162"
                    };
                    initTagRenderer("".split(" "), "".split(" "), channelOptions);

                    StackExchange.using("externalEditor", function() {
                    // Have to fire editor after snippets, if snippets enabled
                    if (StackExchange.settings.snippets.snippetsEnabled) {
                    StackExchange.using("snippets", function() {
                    createEditor();
                    });
                    }
                    else {
                    createEditor();
                    }
                    });

                    function createEditor() {
                    StackExchange.prepareEditor({
                    heartbeatType: 'answer',
                    autoActivateHeartbeat: false,
                    convertImagesToLinks: false,
                    noModals: true,
                    showLowRepImageUploadWarning: true,
                    reputationToPostImages: null,
                    bindNavPrevention: true,
                    postfix: "",
                    imageUploader: {
                    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                    allowUrls: true
                    },
                    noCode: true, onDemand: true,
                    discardSelector: ".discard-answer"
                    ,immediatelyShowMarkdownHelp:true
                    });


                    }
                    });














                    draft saved

                    draft discarded


















                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201566%2fis-displaying-remaining-password-retry-count-a-security-risk%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown

























                    6 Answers
                    6






                    active

                    oldest

                    votes








                    6 Answers
                    6






                    active

                    oldest

                    votes









                    active

                    oldest

                    votes






                    active

                    oldest

                    votes









                    7














                    It depends on your lockout mechanism. If invalid logins get reset after some time AND a locked account does not get unlocked, showing a counter can help an attacker not to lock out an account. But a skilled attacker will have determined the lockout policy up front and will take this into account when guessing the password. So the impact is limited.



                    Also, relying on this to protect your login mechanism is missing the point. You should have a decent password policy and a lockout policy to match. If the password policy is strong, an attacker will have to guess 1000s of times before getting it right. If you lock an account after 20 attempts, you have little chance of getting compromised.



                    You must ask yourself: what is the benefit of showing this information to a genuine user? Often, this problems with lockout occurs because the number of tries is set too low. 3 or 5 are common choices. NIST (Currently unavailable due to government shutdown so no direct reference yet) suggests less than 100 attempts.



                    NIST has a point: think of a password which no attacker will guess in 3 attempts, but which they will guess in 100 attempts. All attackers use different dictionaries and approaches. If a password is unsafe to withstand 100 guesses it can also be breached using fewer attempts - although that is less likely. Therefore a good password policy is a must.



                    I will add the NIST references when the site comes back up. Troy hunt has some good blog posts which summarize password and login mechanisms. He is a fan of the NIST guidelines as well.






                    share|improve this answer






























                      7














                      It depends on your lockout mechanism. If invalid logins get reset after some time AND a locked account does not get unlocked, showing a counter can help an attacker not to lock out an account. But a skilled attacker will have determined the lockout policy up front and will take this into account when guessing the password. So the impact is limited.



                      Also, relying on this to protect your login mechanism is missing the point. You should have a decent password policy and a lockout policy to match. If the password policy is strong, an attacker will have to guess 1000s of times before getting it right. If you lock an account after 20 attempts, you have little chance of getting compromised.



                      You must ask yourself: what is the benefit of showing this information to a genuine user? Often, this problems with lockout occurs because the number of tries is set too low. 3 or 5 are common choices. NIST (Currently unavailable due to government shutdown so no direct reference yet) suggests less than 100 attempts.



                      NIST has a point: think of a password which no attacker will guess in 3 attempts, but which they will guess in 100 attempts. All attackers use different dictionaries and approaches. If a password is unsafe to withstand 100 guesses it can also be breached using fewer attempts - although that is less likely. Therefore a good password policy is a must.



                      I will add the NIST references when the site comes back up. Troy hunt has some good blog posts which summarize password and login mechanisms. He is a fan of the NIST guidelines as well.






                      share|improve this answer




























                        7












                        7








                        7







                        It depends on your lockout mechanism. If invalid logins get reset after some time AND a locked account does not get unlocked, showing a counter can help an attacker not to lock out an account. But a skilled attacker will have determined the lockout policy up front and will take this into account when guessing the password. So the impact is limited.



                        Also, relying on this to protect your login mechanism is missing the point. You should have a decent password policy and a lockout policy to match. If the password policy is strong, an attacker will have to guess 1000s of times before getting it right. If you lock an account after 20 attempts, you have little chance of getting compromised.



                        You must ask yourself: what is the benefit of showing this information to a genuine user? Often, this problems with lockout occurs because the number of tries is set too low. 3 or 5 are common choices. NIST (Currently unavailable due to government shutdown so no direct reference yet) suggests less than 100 attempts.



                        NIST has a point: think of a password which no attacker will guess in 3 attempts, but which they will guess in 100 attempts. All attackers use different dictionaries and approaches. If a password is unsafe to withstand 100 guesses it can also be breached using fewer attempts - although that is less likely. Therefore a good password policy is a must.



                        I will add the NIST references when the site comes back up. Troy hunt has some good blog posts which summarize password and login mechanisms. He is a fan of the NIST guidelines as well.






                        share|improve this answer















                        It depends on your lockout mechanism. If invalid logins get reset after some time AND a locked account does not get unlocked, showing a counter can help an attacker not to lock out an account. But a skilled attacker will have determined the lockout policy up front and will take this into account when guessing the password. So the impact is limited.



                        Also, relying on this to protect your login mechanism is missing the point. You should have a decent password policy and a lockout policy to match. If the password policy is strong, an attacker will have to guess 1000s of times before getting it right. If you lock an account after 20 attempts, you have little chance of getting compromised.



                        You must ask yourself: what is the benefit of showing this information to a genuine user? Often, this problems with lockout occurs because the number of tries is set too low. 3 or 5 are common choices. NIST (Currently unavailable due to government shutdown so no direct reference yet) suggests less than 100 attempts.



                        NIST has a point: think of a password which no attacker will guess in 3 attempts, but which they will guess in 100 attempts. All attackers use different dictionaries and approaches. If a password is unsafe to withstand 100 guesses it can also be breached using fewer attempts - although that is less likely. Therefore a good password policy is a must.



                        I will add the NIST references when the site comes back up. Troy hunt has some good blog posts which summarize password and login mechanisms. He is a fan of the NIST guidelines as well.







                        share|improve this answer














                        share|improve this answer



                        share|improve this answer








                        edited 10 mins ago









                        psmears

                        85069




                        85069










                        answered 5 hours ago









                        SilverSilver

                        1,346518




                        1,346518

























                            1














                            Only two scenario is possible with it but rather showing account lockout time policy risk is more over lockout time.



                            E.g.




                            • once can configure the hydra or some other tool to brute force the login and wait after 3 attempts. if you don't have sufficient locking time it can cause an account compromise.


                            • if you have 30 mins or so locking time then its though we can configure the tool for brute force and wait after three attempts it will take years to crack the password.



                            to conclude this their no risk involve in displaying account lockout attempt.






                            share|improve this answer




























                              1














                              Only two scenario is possible with it but rather showing account lockout time policy risk is more over lockout time.



                              E.g.




                              • once can configure the hydra or some other tool to brute force the login and wait after 3 attempts. if you don't have sufficient locking time it can cause an account compromise.


                              • if you have 30 mins or so locking time then its though we can configure the tool for brute force and wait after three attempts it will take years to crack the password.



                              to conclude this their no risk involve in displaying account lockout attempt.






                              share|improve this answer


























                                1












                                1








                                1







                                Only two scenario is possible with it but rather showing account lockout time policy risk is more over lockout time.



                                E.g.




                                • once can configure the hydra or some other tool to brute force the login and wait after 3 attempts. if you don't have sufficient locking time it can cause an account compromise.


                                • if you have 30 mins or so locking time then its though we can configure the tool for brute force and wait after three attempts it will take years to crack the password.



                                to conclude this their no risk involve in displaying account lockout attempt.






                                share|improve this answer













                                Only two scenario is possible with it but rather showing account lockout time policy risk is more over lockout time.



                                E.g.




                                • once can configure the hydra or some other tool to brute force the login and wait after 3 attempts. if you don't have sufficient locking time it can cause an account compromise.


                                • if you have 30 mins or so locking time then its though we can configure the tool for brute force and wait after three attempts it will take years to crack the password.



                                to conclude this their no risk involve in displaying account lockout attempt.







                                share|improve this answer












                                share|improve this answer



                                share|improve this answer










                                answered 6 hours ago









                                Security BeastSecurity Beast

                                1163




                                1163























                                    0














                                    I lean in general towards the less information you give to an attacker the better. As @security-beast mentioned a tool can be configured to wait the appropriate amount of time. Giving them the information for that configuration is not necessarily ideal.



                                    However, you have to balance this with the needs of your users. Do you find that the system admins spend an inordinate amount of time unlocking accounts because your users keep locking them? If that's the case then your analysis may indicate that you get more benefit from displaying the number of retries to your users so they know when they need to wait before locking their accounts. In other cases the opposite will be true, but either way the answer should be the result of an objective analysis of the trade-offs for the particular system.



                                    Hope this helps.






                                    share|improve this answer
























                                    • I hadn't seen Silver's comment when I posted, but I would second the NIST guidelines as a good base to start with.

                                      – jfran3
                                      5 hours ago
















                                    0














                                    I lean in general towards the less information you give to an attacker the better. As @security-beast mentioned a tool can be configured to wait the appropriate amount of time. Giving them the information for that configuration is not necessarily ideal.



                                    However, you have to balance this with the needs of your users. Do you find that the system admins spend an inordinate amount of time unlocking accounts because your users keep locking them? If that's the case then your analysis may indicate that you get more benefit from displaying the number of retries to your users so they know when they need to wait before locking their accounts. In other cases the opposite will be true, but either way the answer should be the result of an objective analysis of the trade-offs for the particular system.



                                    Hope this helps.






                                    share|improve this answer
























                                    • I hadn't seen Silver's comment when I posted, but I would second the NIST guidelines as a good base to start with.

                                      – jfran3
                                      5 hours ago














                                    0












                                    0








                                    0







                                    I lean in general towards the less information you give to an attacker the better. As @security-beast mentioned a tool can be configured to wait the appropriate amount of time. Giving them the information for that configuration is not necessarily ideal.



                                    However, you have to balance this with the needs of your users. Do you find that the system admins spend an inordinate amount of time unlocking accounts because your users keep locking them? If that's the case then your analysis may indicate that you get more benefit from displaying the number of retries to your users so they know when they need to wait before locking their accounts. In other cases the opposite will be true, but either way the answer should be the result of an objective analysis of the trade-offs for the particular system.



                                    Hope this helps.






                                    share|improve this answer













                                    I lean in general towards the less information you give to an attacker the better. As @security-beast mentioned a tool can be configured to wait the appropriate amount of time. Giving them the information for that configuration is not necessarily ideal.



                                    However, you have to balance this with the needs of your users. Do you find that the system admins spend an inordinate amount of time unlocking accounts because your users keep locking them? If that's the case then your analysis may indicate that you get more benefit from displaying the number of retries to your users so they know when they need to wait before locking their accounts. In other cases the opposite will be true, but either way the answer should be the result of an objective analysis of the trade-offs for the particular system.



                                    Hope this helps.







                                    share|improve this answer












                                    share|improve this answer



                                    share|improve this answer










                                    answered 5 hours ago









                                    jfran3jfran3

                                    366




                                    366













                                    • I hadn't seen Silver's comment when I posted, but I would second the NIST guidelines as a good base to start with.

                                      – jfran3
                                      5 hours ago



















                                    • I hadn't seen Silver's comment when I posted, but I would second the NIST guidelines as a good base to start with.

                                      – jfran3
                                      5 hours ago

















                                    I hadn't seen Silver's comment when I posted, but I would second the NIST guidelines as a good base to start with.

                                    – jfran3
                                    5 hours ago





                                    I hadn't seen Silver's comment when I posted, but I would second the NIST guidelines as a good base to start with.

                                    – jfran3
                                    5 hours ago











                                    0














                                    Based on the information provided we can't really answer this question. The frontend can display whatever developers want you to see and it has nothing to do with the security. How would you for a fact know that your account is locked on the backend? What does lock mean in this scope? There is an infinite number of possible configurations on the backend. If you design a system with this feature as an absolute must, then I'm sure there is a safe way of implementing it.






                                    share|improve this answer




























                                      0














                                      Based on the information provided we can't really answer this question. The frontend can display whatever developers want you to see and it has nothing to do with the security. How would you for a fact know that your account is locked on the backend? What does lock mean in this scope? There is an infinite number of possible configurations on the backend. If you design a system with this feature as an absolute must, then I'm sure there is a safe way of implementing it.






                                      share|improve this answer


























                                        0












                                        0








                                        0







                                        Based on the information provided we can't really answer this question. The frontend can display whatever developers want you to see and it has nothing to do with the security. How would you for a fact know that your account is locked on the backend? What does lock mean in this scope? There is an infinite number of possible configurations on the backend. If you design a system with this feature as an absolute must, then I'm sure there is a safe way of implementing it.






                                        share|improve this answer













                                        Based on the information provided we can't really answer this question. The frontend can display whatever developers want you to see and it has nothing to do with the security. How would you for a fact know that your account is locked on the backend? What does lock mean in this scope? There is an infinite number of possible configurations on the backend. If you design a system with this feature as an absolute must, then I'm sure there is a safe way of implementing it.







                                        share|improve this answer












                                        share|improve this answer



                                        share|improve this answer










                                        answered 1 hour ago









                                        Kamil KurzynowskiKamil Kurzynowski

                                        1




                                        1























                                            0














                                            Security Risk is subjective it will depend on what you are trying to protect the objective of the security control and any other security control in place that mitigate or compensate the risk.



                                            Based on this different companies / business will have different acceptance to same risk.



                                            If in a generic way providing how many attempts your still have might not impose a risk (e.g.: PIN in your smart card to make phone calls)
                                            In other situations it might be a risk (e.g.: trying to brute force mobile phone access) where you can stop before the last attempt and wait some time so the user resets the counter with a valid access...



                                            You should check on the objective of the security control, what you are trying to protect and what security controls you have in place that will compensate or at least monitor abnormal situations.



                                            Based on all this then you can decide if it is an acceptable risk or not for your specifics.






                                            share|improve this answer




























                                              0














                                              Security Risk is subjective it will depend on what you are trying to protect the objective of the security control and any other security control in place that mitigate or compensate the risk.



                                              Based on this different companies / business will have different acceptance to same risk.



                                              If in a generic way providing how many attempts your still have might not impose a risk (e.g.: PIN in your smart card to make phone calls)
                                              In other situations it might be a risk (e.g.: trying to brute force mobile phone access) where you can stop before the last attempt and wait some time so the user resets the counter with a valid access...



                                              You should check on the objective of the security control, what you are trying to protect and what security controls you have in place that will compensate or at least monitor abnormal situations.



                                              Based on all this then you can decide if it is an acceptable risk or not for your specifics.






                                              share|improve this answer


























                                                0












                                                0








                                                0







                                                Security Risk is subjective it will depend on what you are trying to protect the objective of the security control and any other security control in place that mitigate or compensate the risk.



                                                Based on this different companies / business will have different acceptance to same risk.



                                                If in a generic way providing how many attempts your still have might not impose a risk (e.g.: PIN in your smart card to make phone calls)
                                                In other situations it might be a risk (e.g.: trying to brute force mobile phone access) where you can stop before the last attempt and wait some time so the user resets the counter with a valid access...



                                                You should check on the objective of the security control, what you are trying to protect and what security controls you have in place that will compensate or at least monitor abnormal situations.



                                                Based on all this then you can decide if it is an acceptable risk or not for your specifics.






                                                share|improve this answer













                                                Security Risk is subjective it will depend on what you are trying to protect the objective of the security control and any other security control in place that mitigate or compensate the risk.



                                                Based on this different companies / business will have different acceptance to same risk.



                                                If in a generic way providing how many attempts your still have might not impose a risk (e.g.: PIN in your smart card to make phone calls)
                                                In other situations it might be a risk (e.g.: trying to brute force mobile phone access) where you can stop before the last attempt and wait some time so the user resets the counter with a valid access...



                                                You should check on the objective of the security control, what you are trying to protect and what security controls you have in place that will compensate or at least monitor abnormal situations.



                                                Based on all this then you can decide if it is an acceptable risk or not for your specifics.







                                                share|improve this answer












                                                share|improve this answer



                                                share|improve this answer










                                                answered 1 hour ago









                                                HugoHugo

                                                72238




                                                72238























                                                    0














                                                    To give another perspective on this: it doesn't matter for a skilled attacker.



                                                    How are online accounts compromised today typically1? There are two variations of one technique that are commonly used.



                                                    Databases with password hashes (or passwords in plaintext) get stolen and are cracked offline by attackers. After successfully cracking a hash the correct password is served to the login mechanism on the first try, so this control is ineffective.



                                                    This can either be the database of the service in question or the database of another service. Unfortunately people tend to reuse their passwords with several services so chances are high, that once a password is matched to an e-mail adress, it can be used on another site. An attacker might have two or three passwords to choose from, but probably not 20. Again, this control is ineffective.



                                                    So what level of security does this control establish? The level that is necessary to protect from inexperienced script kiddies, malicious ex-partners and nosy parents that want to take a look at your personal account and try five passwords at random. No more, but no less.





                                                    1 Then there are of course other techniques that are more "advanced" like keylogging, (spear)-phishing, MitM etc. which are as well not mitigated by this control.






                                                    share|improve this answer




























                                                      0














                                                      To give another perspective on this: it doesn't matter for a skilled attacker.



                                                      How are online accounts compromised today typically1? There are two variations of one technique that are commonly used.



                                                      Databases with password hashes (or passwords in plaintext) get stolen and are cracked offline by attackers. After successfully cracking a hash the correct password is served to the login mechanism on the first try, so this control is ineffective.



                                                      This can either be the database of the service in question or the database of another service. Unfortunately people tend to reuse their passwords with several services so chances are high, that once a password is matched to an e-mail adress, it can be used on another site. An attacker might have two or three passwords to choose from, but probably not 20. Again, this control is ineffective.



                                                      So what level of security does this control establish? The level that is necessary to protect from inexperienced script kiddies, malicious ex-partners and nosy parents that want to take a look at your personal account and try five passwords at random. No more, but no less.





                                                      1 Then there are of course other techniques that are more "advanced" like keylogging, (spear)-phishing, MitM etc. which are as well not mitigated by this control.






                                                      share|improve this answer


























                                                        0












                                                        0








                                                        0







                                                        To give another perspective on this: it doesn't matter for a skilled attacker.



                                                        How are online accounts compromised today typically1? There are two variations of one technique that are commonly used.



                                                        Databases with password hashes (or passwords in plaintext) get stolen and are cracked offline by attackers. After successfully cracking a hash the correct password is served to the login mechanism on the first try, so this control is ineffective.



                                                        This can either be the database of the service in question or the database of another service. Unfortunately people tend to reuse their passwords with several services so chances are high, that once a password is matched to an e-mail adress, it can be used on another site. An attacker might have two or three passwords to choose from, but probably not 20. Again, this control is ineffective.



                                                        So what level of security does this control establish? The level that is necessary to protect from inexperienced script kiddies, malicious ex-partners and nosy parents that want to take a look at your personal account and try five passwords at random. No more, but no less.





                                                        1 Then there are of course other techniques that are more "advanced" like keylogging, (spear)-phishing, MitM etc. which are as well not mitigated by this control.






                                                        share|improve this answer













                                                        To give another perspective on this: it doesn't matter for a skilled attacker.



                                                        How are online accounts compromised today typically1? There are two variations of one technique that are commonly used.



                                                        Databases with password hashes (or passwords in plaintext) get stolen and are cracked offline by attackers. After successfully cracking a hash the correct password is served to the login mechanism on the first try, so this control is ineffective.



                                                        This can either be the database of the service in question or the database of another service. Unfortunately people tend to reuse their passwords with several services so chances are high, that once a password is matched to an e-mail adress, it can be used on another site. An attacker might have two or three passwords to choose from, but probably not 20. Again, this control is ineffective.



                                                        So what level of security does this control establish? The level that is necessary to protect from inexperienced script kiddies, malicious ex-partners and nosy parents that want to take a look at your personal account and try five passwords at random. No more, but no less.





                                                        1 Then there are of course other techniques that are more "advanced" like keylogging, (spear)-phishing, MitM etc. which are as well not mitigated by this control.







                                                        share|improve this answer












                                                        share|improve this answer



                                                        share|improve this answer










                                                        answered 1 hour ago









                                                        Tom K.Tom K.

                                                        5,46032149




                                                        5,46032149






























                                                            draft saved

                                                            draft discarded




















































                                                            Thanks for contributing an answer to Information Security Stack Exchange!


                                                            • Please be sure to answer the question. Provide details and share your research!

                                                            But avoid



                                                            • Asking for help, clarification, or responding to other answers.

                                                            • Making statements based on opinion; back them up with references or personal experience.


                                                            To learn more, see our tips on writing great answers.




                                                            draft saved


                                                            draft discarded














                                                            StackExchange.ready(
                                                            function () {
                                                            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201566%2fis-displaying-remaining-password-retry-count-a-security-risk%23new-answer', 'question_page');
                                                            }
                                                            );

                                                            Post as a guest















                                                            Required, but never shown





















































                                                            Required, but never shown














                                                            Required, but never shown












                                                            Required, but never shown







                                                            Required, but never shown

































                                                            Required, but never shown














                                                            Required, but never shown












                                                            Required, but never shown







                                                            Required, but never shown







                                                            Popular posts from this blog

                                                            Magento 2 controller redirect on button click in phtml file

                                                            Polycentropodidae