Locked out of your account after three tries. It does not mean anything.
Here’s a scenario that undoubtedly sounds familiar. You type a password to access one of your accounts. The first two times you type the wrong password. Then you remember the good one. But your finger slips as you type it.
You are locked out.
The “triple lock” rule is almost universally applied. He is also almost universally reviled. And to make matters even more boring: no one really knows why three is the magic number.
Three tries was probably initially considered the right number to allow for some forgetting, but not to make it too easy for hackers to guess. But there is no empirical evidence that three tries is the sweet spot. It is possible that the number is not three, but rather five, seven or even 10, as it was suggested in 2003.
The problem is that it is difficult to gather evidence to test the lockout threshold. If you’re putting yourself in the shoes of a system administrator, think about what it would be like if you increased the number of tries allowed and the system was then compromised. The system administrator would be held responsible. So the safest option is to stick with what everyone else does: three tries and you’re out.
There is also the problem of inertia. There are all kinds of legacy protocols when it comes to security. There is, for example, the dated definition of a “complex” password. Similarly, enforcing expiration dates for passwords was widely considered good practice until various organizations (including the U.S. Department of Commerce’s National Institute of Standards and Technology) published advice in 2017 pointing out that this was actually counterproductive.
Another such ancient practice is the triple lock rule.
So how do we test if the lockdown rule makes sense, since a real-world experience is so difficult? We use a simulation. Simulations allow us to test the impact of different parameters, while recording all results, good (risk reduction) and bad (risk increase). The best part is that there is no risk for any real system.
I developed a simulator called SimPass. He modeled the password-related behaviors of human-prone virtual “agents”, using well-established forgetting statistics to model predictable password choices, forgetting, reuse, and sharing. Some malicious “agents” would attempt to breach accounts.
I worked with my colleague Rosanne English to test different lock settings. We ran 500 simulations for each of three, five, seven, nine, 11 and 13 trials before the lockdown. What we discovered was that five was actually the optimal number – the sweet spot we were hoping to identify. By allowing five attempts, the number of lockouts has been minimized, with no negative effect on security.
I don’t hope the lock number will change overnight. Legacy protocols have a lot of resistance. But as we are forced to remember more passwords for an increasing number of accounts, perhaps our collective annoyance will be heard.
Dr Renaud is a Chancellor’s Scholar at the University of Strathclyde in Glasgow. She can be contacted at reports@wsj.com.
Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8
Appeared in the February 28, 2022 print edition as “Three Strikes And You’re Locked Out”. It does not mean anything..’
