CIOs Deal With Password Lockout Challenges

Accessing a system should not be a challenge for users
Accessing a system should not be a challenge for users
Image Credit: Les Orchard

One of the things that a CIO has to do is to deal with a long list of complaints from users about how the company’s technology works. Fairly high on this list at most companies is the problem with password lockouts. You know what I’m talking about. In our quest to keep the company’s systems secure, we’ve implemented policies that lock users out after a certain number of incorrectly entered passwords. We’re trying to do the right thing, but is there a better way?

The Problem With Lockouts

All CIOs have had to deal with the problem of getting locked out of their own systems. The “three times lockout” rule has been almost universally applied. It’s also almost universally reviled by everyone. And to make things even more annoying for everyone who has been locked out: no one really knows why three is the magic number for getting locked out. This magic number was probably initially considered the right number to allow for some forgetfulness, but not make it too easy for hackers to guess. However, there is no empirical evidence that three tries is still the sweet spot. CIOs need to realize that it is possible that the number should no longer be three, but rather five, seven or even ten.

The problem is that it’s can be hard for a CIO to gather evidence to test the lockout threshold. If you put yourself in the shoes of a system administrator, you need to think about how it would look if you increased the number of permitted tries, and then the system then gets compromised. In most organizations, the system administrator would be held accountable. So, CIOs believe that the safest option is to stick with what everyone else does: three tries and you’re locked out.

There is also the issue of inertia in every organization. There are all sorts of legacy protocols in place when it comes to security. As an example of this, there is the dated definition of what goes into a “complex” password. In the past having enforced expiration dates for passwords was widely considered a best practice until various federal bodies released advice in 2017 pointing out that this activity was actually counterproductive. It turns out that the three times lockout rule is another of these legacy practices.

Fixing The Lockout Policy

So, how can a CIO test whether the lockout rule makes sense since a real-world experiment is so difficult? One way to do this is to use a simulation. Simulations allow a CIO to test the impact of different settings, while recording all outcomes, both good (risk reduction) and bad (risk increase). The best part of approaching this problem in this fashion is that there is no risk to any real-life system.

One approach that CIOs can take is to have their team develop a simulator in order to test password lockout policies. This simulator can model password-related behaviors of virtual “agents” with human propensities, using well-established forgetting statistics to model predictable password choices, forgetting, reuse and sharing. In order to make the simulator even more robust, adding malicious “agents” to it who are trying to attempt to breach accounts would make the results even more worthwhile.

CIOs who have a tool like this would be able to test different lockout settings. The best way to go about doing this would be to run thousands of simulations for each of three, five, seven, nine, eleven and thirteen lockout setting tries. What CIOs should expect to find is that when it comes to password lockout attempts five is actually the optimal number. When a CIO permits five attempts, the number of lockouts can be minimized and there is no adverse effect on security.

What All Of This Means For You

Just about everyone in an organization has been locked out of a system at some point in time. What happened is that we forgot what our password was or at least for one brief moment in time we were unable to type it in correctly. When this happens, it is a real annoyance and it can cause a big impact on our productivity. CIOs realize this and they also understand that it is their responsibility to balance the need to defend their systems from hackers while still making them easy to access for authorized users. What’s the correct solution to the password lockout problem?

In most organizations, password lockout occurs after you have incorrectly entered a password three times. Nobody knows why the number three was adopted for this practice, but it seems to be universal. Users would like the threshold to be raised, but CIOs don’t have any data that would allow them to do this with confidence. CIOs who are interested in improving their interaction with end users can determine what the current lockout policy should be by creating simulations of lockout conditions. The expectation is that these simulations will show that having a lockout occur after five failed attempts is the best choice.

CIOs need to understand that it will not be possible to change the lockout number overnight. We all realize that legacy protocols have a lot of staying power. However, as we are forced to remember more and more passwords for an increasing number of accounts, perhaps this is one issue that we can do something about.


– Dr. Jim Anderson Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™


Question For You: Do you think that CIOs should experiment with different lockout settings for different systems?


Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

CIOs are responsible for equipping the company with the technology that is required to make things run smoothly. When the pandemic hit, we sprang into action and made sure that everyone had what they needed in order to work remotely. Even after the pandemic had receded, we made sure that the company’s infrastructure could support all of the remote meetings that were happening. However, it turns out that all of that working remotely has started to have an effect on the company’s employees. CIOs need to make sure that they understand what everyone is experiencing so that they can take steps to minimize it.