Hi there stack exchange,
We're seeing numerous issues in our environment of misconfigured systems repeatedly trying old passwords and causing the accounts to be locked out.
I can see no value in locking out accounts where the same password is tried multiple times, this does not get a (potential) attacker any closer to guessing the password as far as I can work out? I would like to know if there is a way to securely configure a system to count the number of distinct/unique password attempts per user, rather than just the number of attempts before lockout occurs?
I can appriciate that recording password attempts using a reversable derivitive might be bad for security, but surely there's a way to distinguish if the same password is attempted multiple times? Recording recent attempts in a long hash or something?
At the very least is it possible for a system to know that the immediately previous password has been attempted, or even a few back, and not count those as failed attempts? I have seen this implemented and it would seem simmilar to the need to judge uniqueness/distinction?
If the only purpose of a lockout policy is to prevent online brute force password guessing, rather than as a tool to DoS accounts, why is incrementing failed logon counters after only distinct password attempts uncommon?
Lots of question marks sorry, but for clarity the main question is again;
I would like to know if there is a way to securely configure a system to count the number of distinct/unique password attempts per user, rather than just the number of attempts before lockout occurs?
Thanks for any thoughts!
Kind regards, Xeotech