Authentication / No Lockout Information

Description

No lockout information is an authentication vulnerability, identified as CWE-307 in the Common Weakness Enumeration, that occurs when a system does not track failed login attempts as part of authentication. This vulnerability can result in an attacker being able to guess passwords without ever having their access be locked. According to the OWASP Testing Guide, it is important to detect and prevent this vulnerability as it can result in an attacker being able to gain access to a system or a user account without the system's knowledge.

Risk

The risk associated with the No lockout information vulnerability is high. Not tracking failed login attempts can result in an attacker being able to easily gain access to an account or system without the system detecting it. This can result in an attacker being able to gain access to confidential information or data, as well as changing or modifying the system in whatever way they choose.

Solution

The best solution to the No lockout information vulnerability is to implement an account lockout policy. This policy should limit the number of failed login attempts for a given account before it is locked out. This way, if an attacker is attempting to guess a user's password, the account will be locked out after a certain number of failed attempts, thus preventing the attacker from being able to gain access to the system.