Results 1 to 4 of 4

Thread: Failed Login Policy Question

Hybrid View

  1. #1
    Join Date
    Dec 2007
    Location
    Stockton, CA
    Posts
    164
    Rep Power
    7

    Default Failed Login Policy Question

    Hey All,

    I'm trying to decide on the best settings for the Failed Login Policy (we've been running Zimbra for 3+ years and have yet to enable this!) and I have a question about functionality.

    Let's say I configure the following settings:

    Number of consecutive failed logins allowed: 5
    Time to lockout the account: 1 hour
    Time window in which the failed logins must occur to lock the account: 24 hours

    If a user fails to log in 3 times, but is successful the 4th time, does this mean they will only have two more attempts within the 24 hour period, or does the 24 hour window "reset" with a successful login?

    Thanks in advance for any help!

  2. #2
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Quote Originally Posted by thunder04 View Post
    Hey All,

    I'm trying to decide on the best settings for the Failed Login Policy (we've been running Zimbra for 3+ years and have yet to enable this!) and I have a question about functionality.

    Let's say I configure the following settings:

    Number of consecutive failed logins allowed: 5
    Time to lockout the account: 1 hour
    Time window in which the failed logins must occur to lock the account: 24 hours

    If a user fails to log in 3 times, but is successful the 4th time, does this mean they will only have two more attempts within the 24 hour period, or does the 24 hour window "reset" with a successful login?

    Thanks in advance for any help!
    I'd shorten the time window to something like 15-30 minutes or so. The policy is really designed to protect a mailbox from an automated password-guessing attack.

    We also implement forced password rotations, and limited password history reuse.

    If you Google for HIPAA-compliant password policies you'll some good examples you can replicate, along with justification for management who may resist the perceived inconvenience from implementing these kinds of policies.

    Hope that helps,
    Mark

  3. #3
    Join Date
    Dec 2007
    Location
    Stockton, CA
    Posts
    164
    Rep Power
    7

    Default

    The values provided were simply to be an example.

    My true question is: How does the "Time window in which the failed logins must occur to lock the account:" work?

    Does a successful login reset the "Time window in which the failed logins must occur to lock the account"?

    If I attempt to log in and fail 3 times, but am successful the 4th time, do I still have 3 less tries to log in? Or do my "attempts remaining" reset since I've successfully logged in?

    If I've locked my account due to reaching maximum failed logins, wait for my account to become unlocked but am still within the "Time window in which the failed logins must ocurr..." window, and attempt to log in again....will I only be allowed one attempt? Or, since my account was unlocked, does this reset my "attempts remaining" to log in?

    Perhaps I should stop over-thinking it (though I'd love to understand how it works) and simply ask...what are folks out there setting these to and why?

  4. #4
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Quote Originally Posted by thunder04 View Post
    The values provided were simply to be an example.
    Thanks for clarifying.

    Quote Originally Posted by thunder04 View Post
    My true question is: How does the "Time window in which the failed logins must occur to lock the account:" work?

    Does a successful login reset the "Time window in which the failed logins must occur to lock the account"?
    That it my understanding, but we have not tested it formally.


    Quote Originally Posted by thunder04 View Post
    If I attempt to log in and fail 3 times, but am successful the 4th time, do I still have 3 less tries to log in? Or do my "attempts remaining" reset since I've successfully logged in?
    Our understanding is that the failed-attempts counter is reset upon a successful login, but again, we have not tested this formally. We have however seen a greater number of failed login attempts within the set time from different devices. For example, the user gets prompted to change their Zimbra password at work and does so successfully, but their iPad and ZDesktop at home are still attempting to log in with their old password.

    Quote Originally Posted by thunder04 View Post
    If I've locked my account due to reaching maximum failed logins, wait for my account to become unlocked but am still within the "Time window in which the failed logins must ocurr..." window, and attempt to log in again....will I only be allowed one attempt? Or, since my account was unlocked, does this reset my "attempts remaining" to log in?
    As above, our understanding is that any successful login essentially resets everything.

    Quote Originally Posted by thunder04 View Post
    Perhaps I should stop over-thinking it (though I'd love to understand how it works) and simply ask...what are folks out there setting these to and why?
    Good idea! ;-)

    We allow eight failed login attempts within a 15-minute window and log out the user for an hour.

    We also make use of the script zmauditwatch; see page 198 in the latest Administrator's Guide.

    Hope that helps,
    Mark

Similar Threads

  1. Replies: 7
    Last Post: 02-13-2013, 02:36 AM
  2. ZCO install as SYSTEM failed
    By roussel2nis in forum Zimbra Connector for Outlook
    Replies: 11
    Last Post: 12-16-2010, 07:56 AM
  3. Install Zimbra 6.0.8 x64 on Debian Lenny Fail
    By Titi974 in forum Installation
    Replies: 6
    Last Post: 10-21-2010, 06:47 AM
  4. Problem with Mail Server - Need help!
    By joeleo in forum Installation
    Replies: 2
    Last Post: 03-04-2008, 12:03 PM
  5. My Zimbra server down ... please help :)
    By frankb in forum Administrators
    Replies: 2
    Last Post: 12-12-2007, 11:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •