Steve Sokolowski wrote:There will be a few policy changes coming this weekend, which will affect a large number of customers.
First, attempting to log into more than five accounts with invalid passwords will result in a permanent ban for that IP address. There doesn't seem to be any legitimate reason why one address would need to log into so many accounts. Even if you mistype your username, that would only result in two invalid account logins. The existing limit of 25 login attempts per day for any single account will also remain active.
Steve, as someone with almost 20 years working in Infosec, I'd to warn you that this sort of approach can be a bad idea if you aren't careful in the way you implement and manage the ban. It depends on the timespan over which you intend to measure the 5 failed logins, but with a large user community behind a NAT you could easily have 5 legitimate account login failures in a few hours, certainly less than 24.
You can run into problems with Universities, corporate networks, hosting environments, Cloud services, VPNs and any other reasonably large community that sits behind a NAT address so if you really need to implement some kind of control, I suggest you keep the 5 login attempt count window down to 2 minutes or less and implement a rate limiting algorithm, (i,e, don't ban it permanently), start with a 5 minute ban, then 10, etc, etc.
If the failed attempts stop for another arbitrary period (say 30 minutes) then have a timeout for the ban, just like an account lockout. You don't want to be forced to have to manually undo the ban when you can automate it.
Using IP addresses to make security decisions comes with some major issues. Plenty of organisations and companies will give or sell you IP Blacklists and services, but the value of them is entirely dependent on how they re-validate and age that data. Most don't, and the lists are therefore useless over the long term they just keep getting bigger and bigger as more IP addresses are added, and less and less accurate at the same time as the older entries are no longer hostile.