Back to Blog

Put an End to “3 Strikes and You’re Out” Password Management

3_strikesPassword management is a pain and only promises to get worse as banks and other ecommerce providers tighten up access controls due to sophisticated fraud attacks.

However there is one area where some banks are still "penny-wise and pound foolish." Specifically, the old-fashioned notion of locking an account after three unsuccessful password attempts.

It’s just too easy for to miss three times. Here’s what just happened to me at Bank One’s credit card site:

1. Correct username, incorrect password
2. Correct username, retype same (incorrect) password in case I made an inadvertent typo the first time (since the password is masked and I can’t see what I typed the first time)
3. Correct username, another shot at the password which turned out to be incorrect (probably because I changed it last time I was locked out)

RESULT: Locked out and in need of an account reset, which luckily you can do online if you have the card number, expiration date, 3-digit code, and primary social security number.

Analysis
The last time we took an in-depth survey, in our April 2003 report on Security & Privacy (OBR 93/94), 4 of the 14 major financial institutions we tested locked users out after just three attempts, while 6 of 14 fell within the recommended range of 5 to 10 attempts.

We recommend that you allow at least five unsuccessful logins, and preferably closer to 10, prior to freezing the account. The amount of fraud deterred between locking out at three attempts vs. locking out at six is so small as to be virtually unmeasurable. However, there is a real cost in customer service and consumer dissatisfaction for constantly requiring password resets.

OK, I feel better now. Thanks for listening.

JB