DMGPassword Security: "Three Strikes" Rule Sucks
On most of the machines at work, administrators have instituted a
"Three Strikes" rule: An account is disabled after three failed login
attempts. As a new member of the team, (AKA the FNG), I keep tripping over this.
The usual sequence of events goes like this:
- 1st Attempt
- Try my own password by reflex. Login fails. I realize my mistake immediately.
- 2nd Attempt
- Try password $foo. Login fails. I say to myself, "Whups, must have been a typo."
- 3rd Attempt
- Try password $foo, very carefully. Login fails. I've got the wrong password. And the account is disabled.
I remember reading an article ages ago about how a "Three Strikes" policy was misguided, and just forced people to write down their passwords and stick them to the edge of their monitor.