Three Strikes and You're Out - Legacy protocols on lockout rules have a lot of staying power.

 

Why do you often get just three tries to access your account?

                                                                                          

Here’s a scenario that no doubt sounds familiar. You type in a password to get into one of your accounts. The first two times, you type in the wrong password. Then you remember the right one. But your finger slips as you type it.

You’re locked out.

The “three times lockout” rule is almost universally applied. It’s also almost universally reviled. And to make things even more annoying: No one really knows why three is the magic number.

Three tries was probably initially considered the right number to allow for some forgetfulness, but not make it too easy for hackers to guess. But there is no empirical evidence that three tries is the sweet spot. It is possible that the number should not be three, but rather five, seven or even 10, as was suggested in 2003.

The problem is that it’s hard to gather evidence to test the lockout threshold. If you put yourself in the shoes of a system administrator, think about how it would look if you increased the number of permitted tries, and the system then gets compromised. The system administrator would be held accountable. So, the safest option is to stick with what everyone else does: Three tries and you’re out.

There is also the issue of inertia. There are all sorts of legacy protocols when it comes to security. There is, for instance, the dated definition of a “complex” password. Similarly, having enforced expiration dates for passwords was widely considered a best practice until various bodies (including the U.S. Commerce Department’s National Institute of Standards and Technology) released advice in 2017 pointing out that this was actually counterproductive.

The three times lockout rule is another of these legacy practices.

Test

 Is Blogger back up?