qbo.Security: Account Lockouts

posted Apr 1, 2013, 7:38 AM by Eric Patrick

By default, the QBO 3 security module is designed to lock out accounts after three (3) failed login attempts.

Given a user name (Person), one can check the SecurityLog table to see the failed lockouts:

SELECT TOP 100 * FROM SecurityLog 
WHERE Person = 'admin@quandis.com' 
AND SecurityLog != 'Login Success'  -- you can comment this line out to see successful logins interspersed with failed logins and password changes.

Note the following:
  • Login with a correct password: log a successful login
  • Login with a wrong password attempt #1; no lockout
  • Login with a wrong password attempt #2; no lockout
  • Login with a wrong password attempt #3; lockout
  • Account is unlocked
  • Login with a wrong password attempt #4; lockout (immediate)

The lockout logic is this: how many failed login attempts have we had since the last successful login?

In the scenario above, when a user hits invalid password attempt #4, there was no successful login between the Account lock and the 4th attempt, the account is immediately locked out.

This behavior could be modified, but doing so would weaken security. The reason one locks out accounts after X attempts is because a hacker may be trying random passwords. If this is actually the case, chances are reasonable that the hacker and the real user are both trying to access an account. If we ignore the last successful login, we triple the number of hack attempts a hacker may use via the unlocking.