Exponential Back-off on Authentication Failures

Password policies include an option to lock out user accounts after a number of failed login attempts, however, this is not always appropriate as it allows a malicious user to, instead, effectively perform a denial of service attack. As an alternative to account lockouts, an exponential back-off strategy provides a mechanism to prevent malicious users from attempting to obtain a user's password via brute force.

Using exponential back-off, you can temporarily lock out an account with a number of consecutive failed login attempts, preventing further login attempts until the lockout expires. The lockout time increases exponentially, but a successful login attempt resets the failed attempt count, so that subsequent attempts are no longer delayed.

The delay period is calculated as follows:

Min(MaximumDelay, InitialPenalty + (2^(Number of failures above threshold)) * IncrementalPenalty)

Login failures and temporary lockouts do not accumulate across Rhapsody restarts.

Enabling Exponential Back-off

To enable exponential back-off:

1. Navigate to View>User Manager... to display the User Manager.

2. Select the Password Policy tab and then select the Password Policy button. The Password Policy dialog is displayed:

   

3. Under User Lockout:
   1. Select the Temporary lockout checkbox.
   2. In the After field, set the threshold or the number of login failures after which the temporary lockout applies.
4. Select the OK button. This temporarily locks out the user accounts in Rhapsody, if the password is entered incorrectly more than <n> times.

The other parameters are configured via the rhapsody.properties file.

The result of these default settings, with a threshold set at 3 attempts, is as follows: