8.3.4 Invalid authentication attempts are limited by:

Defined Approach Requirements

8.3.4 Invalid authentication attempts are limited by:

• Locking out the user ID after not more than 10 attempts.
• Setting the lockout duration to a minimum of 30 minutes or until the user's identity is confirmed.

Customized Approach Objective

An authentication factor cannot be guessed in a brute force, online attack.

Applicability Notes

This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction.

Defined Approach Testing Procedures

8.3.4.a Examine system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than 10 invalid logon attempts.

8.3.4.b Examine system configuration settings to verify that password parameters are set to require that once a user account is locked out, it remains locked for a minimum of 30 minutes or until the user's identity is confirmed.

Purpose

Without account-lockout mechanisms in place, an attacker can continually try to guess a password using manual or automated tools (for example, password cracking) until the attacker succeeds and gains access to a user's account.

If an account is locked out after someone continually trying to guess a password, controls to delay reactivation of the locked account stop the malicious individual from guessing the password, as they will have to stop for a minimum of 30 minutes until the account is reactivated.

Good Practice

Before reactivating a locked account, the user's identity should be confirmed. For example, the administrator or help desk personnel can validate that the actual account owner is requesting reactivation, or there may be password reset self-service mechanisms that the account owner uses to verify their identity.