12.10. Account Lockouts

Membership providers can choose to implement account lockouts as a protection against brute force guessing attacks against a user's password and password answer. SqlMembershipProvider implements protections against both attacks and will lock out accounts for both cases. Deciphering the provider configuration attributes for account lockouts and trying to understand exactly when accounts are locked in SQL can be a bit confusing when using the SQL provider.

SqlMembershipProvider keeps track of failed attempts at using a password by storing tracking information in the FailedPasswordAttemptCount and FailedPasswordAttemptWindowStart columns of the aspnet_Memership table. The provider tracks failed attempts at using a password answer separately in a different set of columns: FailedPasswordAnswerAttemptCount and FailedPasswordAnswerAttemptWindowStart. When a user is first created, the counter columns are set to a default value of zero while the date-time columns are set to default values of 01/01/1754.

Each time a provider method is called that accepts a password parameter, the provider internally validates that the password is correct. ValidateUser is the most common method where this occurs, but password validation also occurs for ChangePassword (validating the old password) as well as ChangePasswordQuestionAndAnswer. The first time an incorrect password is supplied, two things occur:

  • The FailedPasswordAttemptCount in the database is incremented by one.

  • The

Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.