YALE-MSS-9.10: Prevent brute force attacks

Standards Group:
YALE-MSS-9: Authentication and Authorization

YALE-MSS-9.10: Prevent brute force attacks

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Upcoming Low Risk Server Not Required Moderate Risk Server Not Required High Risk Server Upcoming Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Upcoming Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Upcoming

Details

Rate limiting and temporary account lockouts are effective ways to thwart automated, rapid-fire password guesses from an attacker. These two techniques should be used in combination to strengthen the effect.

Brute-force guessing at user credentials is an easy and common method of attackers.

Limit the number of consecutive, invalid login attempts to something reasonable, for example three or four, within a modest period of time, such as five minutes. When the threshold for failed logins has been exceeded, a temporary account lockout should be triggered for some modest duration, such as 10 minutes.

This requirement is satisfied by using Yale institutional authentication methods, such as Active Directory, CAS, Shibboleth, and Entra ID.