Set Account Lockout ASVS Levels 1-3 Aligned to NIST, PCI-DSS, CIS et al #2011
Labels
1) Discussion ongoing
Issue is opened and assigned but no clear proposal yet
V2
_5.0 - prep
This needs to be addressed to prepare 5.0
Comments
tghosth
added
1) Discussion ongoing
|
Here are two things mixed - the issue title asks to align "account lockout limits" but the content points to rate limiting and account lockout, and those are in conflict with each other (NIST vs PCI) The direction should be do NOT use lockouts. We have separate issues to handle those:
Closing this as duplicate. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ASVS Requirement 2.2.1 states "... More than 5 failed authentication attempts per hour for a single account should trigger some sort of reaction or alert. ..."
To expand on @TheDauntless comment within #906 (comment) I'd like the ASVS Levels to align within PCI-DSS and CIS.
NIST Special Publication 800-63B sets the limit to <100 as reproduced below:
PCI-DSS 4.0.1 sets the limit to 10 as reproduced below:
CIS sets the limit to 5 as reproduced below as provided by @TheDauntless:
Can we set the limits to <=100, 10, 5 for ASVS Level 1, 2, 3 respectively?
All other issues referencing "lockout"
The text was updated successfully, but these errors were encountered: