IT Baseline Protection Manual S 4.15 Secure log-in
S 4.15 Secure log-in
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Use should be made of a log-in program or the relevant options should be activated so that the following measures can be taken:
The number of unsuccessful log-in attempts is restricted.
After each unsuccessful log-in attempt, the waiting time until the next log-in prompt will increase. After a certain number of unsuccessful attempts, the account and/or terminal will be blocked. It should be noted that the administrator must not be locked out by this measure; his continued access from the console must be ensured (cf. also S 1.32 Adequate siting of the console, devices with exchangeable data media, and printers).
When logging in, the user is informed of the time of the last successful log-in.
When logging in, the user is advised of unsuccessful log-in attempts. This information might be repeated at the time of several subsequent log-ins.
When logging in, the user is informed of the time of the last log-out. Here, a difference is made between log-outs to an interactive log-in and log-outs to a non-interactive log-in (log-out of background processes).
The additional use of one-time passwords is recommended for log-in via networks with non-encrypted transmission of passwords (also refer to S 5.34 Use of one- time passwords).
Additional controls:
Have the users been instructed to check the time of the last successful log-in for plausibility?
How often are unsuccessful log-in attempts reported to the user?