Missing Limits on Repeated Authentication Attempts
Missing Limits on Repeated Authentication Attempts
Overview
Without limits on repeated authentication attempts, attackers can automate password guessing.
Impact
Excessive attempts may also degrade service availability.
Countermeasures
Apply rate limiting, temporary lockouts, progressive delays, IP and account monitoring, and multi-factor authentication.