Why do sites implement locking after three failed password attempts?

Recently, at the OWASP AppSec 2010 conference in Orange County, Bill Cheswick from AT&T talked at length about this issue.

In brief, there's insufficient research.

In long, here are some of his ideas for less painful account locking:

  • Don't count duplicate password attempts (they probably thought they mistyped it)
  • Make the password hint about the primary password, and don't have a (weak) secondary
  • Allow a trusted party to vouch for the user, so he can change his password.
  • Lock the account in increasing time increments
  • Remind the user of password rules.

Any website that complies with PCI Data Security Standards has to adhere to sections

  • 8.5.13 (Limit repeated access attempts by locking out the user ID after not more than six attempts)
  • 8.5.14 (Set the lockout duration to thirty minutes or until administrator enables the user ID).

This is unfortunately why a lot of sites accepting credit cards have draconian lockout policies, even though their designers may not necessarily agree with what they've implemented.

Edit: Note that these requirements only apply to systems for "non-consumer users" so they shouldn't affect customer sites accepting cards.


My experience is lock out mechanisms are diminishing in popularity (at least for web apps). Instead of locking accounts out after a series of failed attempts, you begin to ask for additional information for successful authentication.