Account Lockout Problem

  • 1
  • 6
  • Idea
  • Updated 4 months ago
  • (Edited)
A possible denial of service problem exists with the current account lockout policy. On the "Sign In" form, the field for 'Extension' has "Optional" next to it. An inexperienced user might conclude that it is not necessary to include their extension when signing in. After several failed attempts, that inexperienced user succeeds in locking out the super admin account.

This unfortunate incidence requires either a password reset on the part of the admin or a call to RC support. Taking this to the inevitable next step, if a disgruntled employee, or a vindictive competitor, knows a little something about RC's lockout policy, they could initiate a DoS on a ring central customer.

A better approach would be to block the perpetrator's IP address for a period of time or to increase the number of failed attempts allowed on the superuser account. While not perfect solutions, I believe it is better than allowing the admin's account to be locked by an idiot.

In any case, the optionality  of the 'Extension' field should be removed. 
Photo of Dominick Atanasio

Dominick Atanasio

  • 150 Points 100 badge 2x thumb
  • mighty low

Posted 4 months ago

  • 1
  • 6
Photo of Bob Robinson

Bob Robinson, Champion

  • 6,474 Points 5k badge 2x thumb
The wording could be changed to state that extension is optional if you are logging in with your direct number.  I agree it's not clear, but would not want to have the rule be that you have to log in with the company main number plus extension.
Photo of Dominick Atanasio

Dominick Atanasio

  • 150 Points 100 badge 2x thumb
Why not? There are only a couple of admins to scores of employees. The employees must enter their extension to log in. With form completion in current browsers it's not like you have to always enter the extension. I would rather have my browser populate the field for me than have to reset my password every other week. 
(Edited)
Photo of Bob Robinson

Bob Robinson, Champion

  • 6,474 Points 5k badge 2x thumb
Most of our employees log in with e-mail address and I'd advocate that anyway for the users.  That stated, a number of them do not even know our company main number, but I guess they would if they started logging in that way.  In general, I agree with making it harder to execute a DOS attack on an admin account, but there are likely other approaches besides making extension required (2 factor authentication, etc.).  Of course, even if the super admin account got locked out, I could reset that password from my admin account.
Photo of Dominick Atanasio

Dominick Atanasio

  • 150 Points 100 badge 2x thumb
I agree with you on 2FA. I think that's the best option--in today's climate, it should be a default for public-facing username/password authentication.

I think inconvenience of password resets is one that needs to be addressed though.
Photo of Dominick Atanasio

Dominick Atanasio

  • 150 Points 100 badge 2x thumb
One other comment. We have quite a few message-only extensions for our remote users. These cannot be signed into using an email address. It turns out that it is these users who are causing the problems.
Photo of AYan

AYan

  • 848 Points 500 badge 2x thumb
Yikes, I did not know this issue existed. You got my vote.