I would just like to add to the “password science” and point out an unfortunate trade-off with this.
A system that implements this will typically have a “unique key” against which failures are recorded so that when the limit is reached, the account can be locked.
There are two obvious choices for “unique key”.
- user account identifier
- user account identifier + IP address
Each has advantages and disadvantages.
The disadvantage of the first option is that it may make it easy to mount a DoS attack. This is particularly the case if user account identifiers are guessable or publicly available. This is particularly bad if user account identifiers are email addresses. I can use a publicly available list of spam targets, select the ones that are likely to be in Australia, pick one of the large companies in Australia that uses the email address as the user account identifier, and lock out every account that is valid. (The passwords to use are irrelevant. Just use ‘a’, ‘b’ and ‘c’.) Where the account identifier is, say, a nine digit number, just run through them sequentially.
Of course it is possible for the company to offer some kind of defence against this attack but the attacker can often mitigate it with a DDoS.
So in circumstances where it matters, it is highly desirable not to use the email address as the user account identifier, highly desirable to keep user account identifiers private and not readily guessable, if there’s redundancy in the user account identifier highly desirable to keep the check (digit) algorithm secret, and desirable to use a user account identifier that is long enough to make valid accounts sparse in the space of all user account identifiers (which means that redundancy is desirable).
On the other hand, the disadvantage of the second option is that it directly enables a ‘distributed’ attack to have far more than just 3 guesses. If I can marshal a block of 256 IPv4 addresses then I can get 768 guesses, which against a 4 digit PIN would be uncomfortable. A relatively organised attacker can probably marshal 10,000 IPv4 addresses.
Also, the second option is completely unviable against IPv6 (since I myself have 264 IPv6 addresses, or something around that number of bits, as would most home users that actually have IPv6).
Any server attempting to use the second option with IPv6 is potentially vulnerable to a DoS attack against the mechanism itself, as it tries in vain to store 264 records i.e. in that case, the attacker only makes 2 password attempts from each IPv6 address before changing IPv6 address.
This can be partially mitigated by assuming that IPv6 addresses come in large blocks e.g. absolute minimum 48 bits - and only therefore using the top N bits of the IPv6 address - but the space of IPv6 addresses is still very big.