Abstract

It is considered good practice to lock users out if they enter the wrong password three times. This is applied almost universally by systems across the globe. Three tries is probably considered a good balance between allowing the legitimate user to make some genuine errors and foiling an attacker. It must be acknowledged that this rule makes sense intuitively yet there is no empirical evidence that three tries is the most efficacious number. It is entirely possible that the number should not be three, but some other number, such as five or even seven. It is very hard to test this since attempts could be either a legitimate user attempting to recall his/her password, or an intruder trying to breach the account. If an attacker is allowed more attempts one could imagine the system’s security being compromised. Here we argue for the use of a simulation engine to test the effects of such password-related security measures on the security of the entire eco-system. A simulation approach expedites no-risk empirical testing. We use a simulator called SimPass which models both user password-related behaviour and potential password-based attacks from within and outside an organization. We will firstly validate SimPass’s output by quantifying the security impact of increasing the prevalence of password sharing. This kind of behaviour has predictable results, since increased sharing will inevitably lead to more use of others’ credentials. Having shown that SimPass produces credible results, we then test different settings for locking of accounts after a certain number of failed authentication attempts to determine the optimal setting. We find that a three times lockout policy might well be too stringent.