Corgea LogoCorgea Security Hub

CWE-645: Overly Restrictive Account Lockout Mechanism

Learn about CWE-645 (Overly Restrictive Account Lockout Mechanism), its security impact, exploitation methods, and prevention guidelines.

What is Overly Restrictive Account Lockout Mechanism?

• Overview: CWE-645 refers to an overly restrictive account lockout mechanism where the system locks user accounts too easily after a few failed login attempts, potentially allowing attackers to intentionally lock out legitimate users and deny them access.

• Exploitation Methods:

  • Attackers can intentionally trigger the lockout by repeatedly entering incorrect passwords for an account.
  • Common attack patterns include automated scripts that attempt multiple logins until the lockout threshold is reached.

• Security Impact:

  • Direct consequences include denial of service to legitimate users who cannot access their accounts.
  • Potential cascading effects involve disrupted business operations and increased workload for administrators to unlock accounts.
  • Business impact includes decreased user satisfaction and potential revenue loss due to service disruptions.

• Prevention Guidelines:

  • Implement adaptive lockout mechanisms that consider user behavior and adjust thresholds accordingly.
  • Use CAPTCHA challenges or multi-factor authentication to prevent automated lockout attempts.
  • Recommended tools and frameworks include rate limiting libraries and authentication frameworks with customizable lockout settings.
Corgea can automatically detect and fix Overly Restrictive Account Lockout Mechanism in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: High

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

class UserAuth:
    def __init__(self):
        self.failed_attempts = {}

    def login(self, username, password):
        # Check if account is locked
        if self.failed_attempts.get(username, 0) >= 3:
            return "Account locked due to multiple failed attempts."

        if self.check_credentials(username, password):
            self.failed_attempts[username] = 0
            return "Login successful"
        else:
            self.failed_attempts[username] = self.failed_attempts.get(username, 0) + 1
            return "Invalid credentials"

    def check_credentials(self, username, password):
        # Simulated credential check
        return username == "admin" and password == "password"

Explanation:

  • Vulnerability: The code locks out the account after three failed attempts, which can be easily exploited by an attacker to cause a denial of service by locking out legitimate users. This overly restrictive mechanism does not provide a way for legitimate users to recover access without intervention.

How to fix Overly Restrictive Account Lockout Mechanism?

To fix this vulnerability, it's crucial to implement an account lockout mechanism that balances security with usability. Consider the following practices:

  • Incremental Backoff: Instead of locking the account outright, introduce a delay that increases with each failed attempt.
  • Temporary Lockout: Implement a temporary lockout period that resets after a certain time.
  • Notifications: Notify users of unusual activity on their accounts.
  • Rate Limiting: Introduce rate limiting to restrict the number of login attempts over a period of time.

Fixed Code Example

import time

class UserAuth:
    def __init__(self):
        self.failed_attempts = {}
        self.lockout_time = {}

    def login(self, username, password):
        # Check if the account is temporarily locked
        if username in self.lockout_time:
            if time.time() - self.lockout_time[username] < 300:  # 5-minute lockout
                return "Account temporarily locked. Try again later."
            else:
                del self.lockout_time[username]

        if self.check_credentials(username, password):
            self.failed_attempts[username] = 0
            return "Login successful"
        else:
            self.failed_attempts[username] = self.failed_attempts.get(username, 0) + 1
            
            if self.failed_attempts[username] >= 3:
                self.lockout_time[username] = time.time()  # Start lockout timer
                return "Account temporarily locked due to multiple failed attempts."

            return "Invalid credentials. Try again."

    def check_credentials(self, username, password):
        # Simulated credential check
        return username == "admin" and password == "password"

Explanation:

  • Temporary Lockout: The account is locked for a 5-minute period after three failed attempts, preventing permanent denial of service.
  • Lockout Timer Reset: The lockout timer resets after the lockout period, allowing further attempts.
  • User Notification: The user is informed about the temporary lockout, providing a more user-friendly experience.
  • Improved Usability: By allowing the account to be accessible after a short lockout period, legitimate users have a chance to regain access without needing administrative intervention.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-645: Overly Restrictive Account Lockout Mechanism and get remediation guidance

Start for free and no credit card needed.