The Logic (or Lack of) of Account Lockout Policies

On his blog site, Microsoft security guru Steve Riley recently responded to criticism regarding the default, out-of-the-box security of Windows and why Microsoft does not enable an Account Lockout Policy by default. Riley's arguments make a pretty solid case for removing the Account Lockout Policy function entirely rather than enabling it by default. The bottom line, according to Riley, is that Account Lockout policies just cost companies money to support without providing any security benefits, and that they can be used to initiate a DoS (denial-of-service) attack against accounts on the network. Riley claims that longer passwords, not Account Lockout Policies, are the path to greater security. He is particularly supportive of using passphrases, one of the solutions I offer in Creating Secure Passwords. Read Creating Secure Passwords and Do Not Use Real Words to learn more about protecting your systems and data with passwords that are more difficult to guess or crack.