Weak Password Policy - Lockout Threshold

One common protection against brute-force attacks is locking an account after a defined number of failed login attempts. However, a high lockout threshold allows attackers to try multiple passwords before being blocked, increasing the risk of unauthorized access to accounts and sensitive data.

Tenable Identity Exposure analyzes password policies as follows:

• It evaluates the setting's value only if the setting is enabled.
• For the Default Policy, it reports the setting as misconfigured if it is either disabled or has an insecure value. This is because the Default Policy acts as a fallback and should define all relevant settings with secure values as a last-resort safeguard.

Tenable Identity Exposure analyzes disabled password policies only when the corresponding IOE parameter is also disabled.

You must set the lockout threshold to a lower value in the reported password policy.

Okta recommends a typical value of 10, which is also the default setting in this Indicator of Exposure. Tenable advises selecting a value that aligns with your organization's risk tolerance, as well as the relevant industry standards and regulatory requirements for your sector and location. Be mindful of the impact on end-user experience, as users may occasionally mistype or confuse their passwords.

Next, configure the optimal value in the IOE parameter.

Refer to Okta’s official documentation for guidance on how to configure correctly the reported password policy.

Name: Weak Password Policy - Lockout Threshold

Codename: WEAK-PASSWORD-POLICY-LOCKOUT-THRESHOLD-OKTA

Severity: High

Type: Okta Indicator of Exposure