I had a Firefox crash yesterday that seems to have corrupted the form completion database and/or some saved cookies. It’s been no big deal; I just generally have to re-login to a lot of web sites. It was going OK until I got to my bank’s site today to pay some bills. I know exactly what my password is, because I have to type it in every time I visit, but I’ve long since forgotten my user ID. It wasn’t in the document in which I record user IDs and password hints.
I tried three or four times with each possible user ID, and after the 3rd or 4th time, I got the "your account has been locked" notice. After doing this for about 20 minutes, I folded and called customer service. After the usual set of identification questions, I got my user ID. (Darn! Yeah, now I remember it). I asked the person at the other end, a very nice person, what happened to the folks whose IDs I’d been trying. He said that they’re locked out until they, too, call customer service.
So, if you try to login to your bank and your account is locked, my sincere apologies.
The bigger issue, of course, is the possibility for someone to do this maliciously. If I know your bank account user ID, I can lock you out of it by writing a script that tries (and fails) to login and running it every 10 minutes. Similarly, if your network as a terminal server available, I can lock out any number of users, including the admnistrator, by doing the same thing. That would be annoying.
Consider the case,however, if I have access to your system and want to do somethign bad to it. While I’m in, it would be a good idea for me to lock the doors behind me, to keep out any admins who might be notified if/when I set offf an alarm. When setting up access policies, its important to remember that setting a time lock can lock you out while someone else is within, doing something nasty to your system. Make sure you have a secure back door, and make sure it uses its own key.