O'Reilly logo

Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB by Stefan Schackow, Bilal Haidar

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

12.11. Implementing Automatic Unlocking

One potential issue that folks raise about SqlMembershipProvider is that the current lockout behavior can lead to a denial of service (DoS) attack. Theoretically, a malicious user could spam a login page with likely user accounts to force account lockouts for a large number of website users. After the user accounts are locked out, the users have no way to get back onto the website until an administrator intervenes and unlocks the accounts.

Although an auto-unlock feature for accounts is a partial deterrent to this type of DoS attack, you should be aware that after you have automatic unlocking, the DoS attack can now be turned into a long-running brute force password attack. Instead of cutting the attack off after a few attempts per user account, an auto-unlock feature allows an attacker to iterate through a few passwords, back off for the duration of the account lockout, and then iterate through some more passwords for each user account. If you don't monitor web logs (and potentially add custom auditing on top of the SQL provider) for this type of activity, you can literally end up with a brute force password attack running for weeks on end.

For example, if you have a 30-minute auto-unlock period after five bad passwords, and an attacker tries guessing passwords for 4 weeks, the attacker can run 240 bad passwords per account per day for a rough total of 6720 bad passwords per user account per month on a site. I would highly recommend that ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required