Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 802.1X password reset issues

From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Wed, 14 Nov 2018 19:08:45 -0500
We had the same problem and the same complaints around this time last year.
After some investigoogling, I came across this article:

https://ravingroo.com/295/active-directory-account-lockout-policy-threshold-counter-strong-password/


What the author said made sense to us, so we decided to give it a try, and
set our Active Directory policy to the values the article recommends:

Account lockout duration: 5 minutes
Account lockout threshold: 50 invalid logon attempts
Reset account lockout counter after: 1 minute


We haven't had any complaints since (nor have we seen anything to suggest
that what the author says is incorrect).

We chose not to follow the author's other suggestion to abandon the lockout
policy all together, mostly because we figured the auditors would just make
us put it back. :-)

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.curry () newschool edu


On Wed, Nov 14, 2018 at 3:37 PM Pardonek, Jim <jpardonek () luc edu> wrote:


We are getting some grumbling from several staff that get into a password
lockout condition when changing their twice a year required password.  We
mostly see this when people have multiple devices connected to the wireless
network and they forget one of them and it locks out from re-auth requests
or if they don’t change the password for their email client and that locks
us out.  We have recommended procedures (turn off all devices but one and
re-do the password one at a time).  We’ve tried to make it less painful by
upping the number of failed password attempts before it locks out, but I
don’t want to get to a point where we sacrifice security for convenience.
Any any of you folks have similar issues and what have you done to make it
easier?



Thanks,



Jim





*James Pardonek, MS, CISSP, CEH, GSNA*

*Information Security Officer*


* Loyola University Chicago  1032 W. Sheridan Road | Chicago, IL  60660 *
* (**: (773) 508-6086*



*Loyola University Chicago will never ask you for your username or
password.*

*For the lastest information security news at Loyola, please follow us
online,*

*Twitter: @LUCUISO*

*Facebook: https://www.facebook.com/lucuiso/
<https://www.facebook.com/lucuiso/>*

*Our Blog http://blogs.luc.edu/uiso/ <http://blogs.luc.edu/uiso/>*
Previous By Date Next
Previous By Thread Next

Current thread: