0

I'm running web scans with Acunetix and the scan keeps reporting two alerts of "Login page password-guessing attack". Our application is built with ASP.NET and to combat this security alert, I've implemented account lockout that is provided with ASP.Identity. It works: if user enters wrong password five times, account gets locked for 5 minutes.

But Acunetix still reports a Login page password-guessing attack after scanning and tells me that our login page doesn't have any protection. I don't understand, why does this alert show up? Is account lockout for 5 minutes after 5 attempts not a good enough security measure?

Bernard Polman
  • 795
  • 2
  • 14
  • 31
  • 1
    Did you try https://security.stackexchange.com/search?q=brute+force+attack or https://serverfault.com/search?q=brute+force+attack instead? – tk421 Jul 25 '18 at 15:41
  • 1
    Acunetix is just an automated scanning tool, it may not be perfect. Also there can still be attacks like for example a timing attack that leaks information whether a password is good or not even when the account is locked. I'm not saying this is the case, nor that Acunetix would find this, but it's somehing to consider. But your current finding can very easily be a false positive. Also it's a risk question, if 5 minutes lockout after 5 tries is ok for you, then it's ok, it is your decision. (I personally think for many applications that would be fine.) – Gabor Lengyel Jul 25 '18 at 15:51

0 Answers0