|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
Guest
|
 Posted: Fri May 12, 2006 11:45 pm Post subject: Password is passed Multiple times per thread? |
 |
|
Hello,
I was presented an MS article that stated that when a person submits their
password/credentials in conjunction with an executable, that the passing of
the credentials is multiplied by the threads underneath the executable
process. Is this so? We have had quite a few accounts that have locked out
from a single bad password entry and our limit is set to 5
If anyone has any ideas or could point out an article or white paper which
discusses this issue, I would be most appreciative. |
|
| Back to top |
|
 |
|
|
Karl Levinson, mvp
Guest
|
| Posted: Sat May 13, 2006 12:01 am Post subject: Re: Password is passed Multiple times per thread? |
|
|
Microsoft does not currently recommend setting account lockout threshold to
just 5. They now argue, and I feel rightly so, that it is better to bump
that number up to, say 10 or 20 or even more. The justification is that the
organization increases its risk of users not being able to work and the lost
time and money incurred by additional help desk requests, and that this
increased risk more than outweighs the relatively small benefit of having
such a restrictive account lockout threshold.
It is true that in some situations, Windows will retry a failed password
several times in the space of a second. I have seen this result in account
lockouts.
<-> wrote in message news:uEg$gyfdGHA.3348@TK2MSFTNGP03.phx.gbl...
| Quote: | Hello,
I was presented an MS article that stated that when a person submits their
password/credentials in conjunction with an executable, that the passing
of
the credentials is multiplied by the threads underneath the executable
process. Is this so? We have had quite a few accounts that have locked
out
from a single bad password entry and our limit is set to 5
If anyone has any ideas or could point out an article or white paper which
discusses this issue, I would be most appreciative.
|
|
|
| Back to top |
|
|
kj
Guest
|
| Posted: Sat May 13, 2006 12:51 am Post subject: Re: Password is passed Multiple times per thread? |
|
|
There are many articles and many issues with a lockout value this low,
depending upon the environment.
Generally this way too low a value. 15 to 20 would likely be a better choice
to thwart attempted password cracking.
( combined of course with a good password policy and auditing )
--
/kj
<-> wrote in message news:uEg$gyfdGHA.3348@TK2MSFTNGP03.phx.gbl...
| Quote: | Hello,
I was presented an MS article that stated that when a person submits their
password/credentials in conjunction with an executable, that the passing
of the credentials is multiplied by the threads underneath the executable
process. Is this so? We have had quite a few accounts that have locked
out from a single bad password entry and our limit is set to 5
If anyone has any ideas or could point out an article or white paper which
discusses this issue, I would be most appreciative.
|
|
|
| Back to top |
|
|
wickydog
Guest
|
| Posted: Sat May 13, 2006 8:29 am Post subject: Re: Password is passed Multiple times per thread? |
|
|
I will recommend that the password thread should have a greater value so
security in the domain enhance. However, we can make the logout duration
shorter so it will make the administration work lighter. However, it still
have the security concern.
"kj" wrote:
| Quote: | There are many articles and many issues with a lockout value this low,
depending upon the environment.
Generally this way too low a value. 15 to 20 would likely be a better choice
to thwart attempted password cracking.
( combined of course with a good password policy and auditing )
--
/kj
-> wrote in message news:uEg$gyfdGHA.3348@TK2MSFTNGP03.phx.gbl...
Hello,
I was presented an MS article that stated that when a person submits their
password/credentials in conjunction with an executable, that the passing
of the credentials is multiplied by the threads underneath the executable
process. Is this so? We have had quite a few accounts that have locked
out from a single bad password entry and our limit is set to 5
If anyone has any ideas or could point out an article or white paper which
discusses this issue, I would be most appreciative.
|
|
|
| Back to top |
|
|
|
|
