Lack of Brute Force Protection on Change

Password Page

The change password function did not enforce

account lockout. After performing ten (10) invalid

login attempts, the application allowed the user

to login with valid credentials.

Without enforcing account lockout, it would be

possible for an attacker to launch ongoing

password guessing attacks against the web

application.

Framework Safeguard: AC-7

Moderate (CVSS=6.2). An attack requires

publicly available tools, authenticated

access to the application and a moderate

amount of time, depending on password

strength.

A successful brute force password exploit

could allow an attacker to guess the

password of a compromised account. This

would allow the attacker to return later,

using the known password, or could allow

the attacker to compromise the user’s other

accounts.

Configure the application to lock

accounts for 30 minutes after 10

consecutive invalid authentication

attempts.

National IT Security Password Policy