Lazy Diary @ Hatena Blog

PowerShell / Java / miscellaneous things about software development, Tips & Gochas. CC BY-SA 4.0/Apache License 2.0

What can you do with account lockout and its unlock

Software Development Computer Security

Purpose of account lockout

These are some purpose for account lockout, such as:

  • Detect login attempts 1
    • Example: Logging 2
  • Slow down login attempts
    • Example: Duration-based lockout, scrypt, Argon2
  • Interrupt login attempts
    • Example: Requires multi factor authentication
  • Passive counter measure for login attempts
    • Example: Requres a phone call for admin 3
  • Active counter measure for login attempts
    • Example: Take a photo by front camera 4
  • Prevent information leakage
    • Example: Data wipe

Method for unlock

There are some way to unlock the locked accounts, such as:

  • Operation-less unlock: Unlock after account lockout duration (e.g. Account Lockout Policies in Windows)
  • Operation by oneself: Unlock with e-mail or SMS (e.g. Twitter)
  • Operation by others: Unlock with the operation of administrators (e.g. Active Directory)

Note that the unlock operation by oneself should use authentication factors other than something you know (∋ passwords) to prevent continuous attacking.

Suitable purpose and situation

Each unlock method has suitable purposes and situations. For example, unlock after account lockout duration can detect and slow down login attempts, but cannot interrupt login attempts. Also, some system considers lockout duration as downtime (e.g. operator-side interface of call center systems; it requires real-time operation), and some doesn’t (e.g. Facebook; users can see articles and messages after unlocking). It depends on the features of the system. The table below shows the purposes that each unlock method fulfills.

# Purpose Unlock after lockout duration Unlock with e-mail or SMS Unlock with operation of administrators
1 Detect attempts
2 Slow down attempts
3 Interrupt attempts
4 Passive countermeasure
5 Active countermeasure
6 Prevent information leakage

  1. In this list, “login attempts” means brute force attack, dictionary attack, or password list attack. IP-based lockout to prevent reverse brute force attack is out of scope of this article.

  2. Strictly this is not a feature of account lockout function.

  3. In Japan, evert phone call (and its geolocation information) is logged by carriers, and the police can access to the logs.

  4. Only for smartphone apps or teleconference systems (it requires cameras and a adversary should be in front of them).

日本における貧困率(相対的貧困)と世界貧困線(絶対的貧困)

その他

日本における貧困率のカウントには、相対的貧困が用いられる。日本における貧困率にカウントされるのは、2017年の国民生活基礎調査の場合、年間の等価処分所得が122万円未満の世帯。
世界における貧困率のカウントには、絶対的貧困が用いられる。世界単位で貧困率にカウントされるのは、2015年の世界銀行の設定の場合、貧困線を購買力平価が1.90$/日(1ドル112円として年間で7.77万円)未満の世帯。

iOS 11ではリマインダーに保存したツイートのURLからTwitterのアプリを開けない

できない
  • iOS 10.3では、リマインダーに保存したツイートのURLはTwitterのアイコンで表示される。また、TwitterのアイコンをタップするとTwitterのアプリが起動し、対応するツイートが表示される。
  • iOS 11.0では、リマインダーに保存したツイートのURLはアイコンなしで表示される(Safariのアイコンも表示されない)。また、Twitterのアイコンをタップしても、TwitterのアプリもSafariも起動しない。なお、ツイートのURLでない一般サイトのURLにはSafariのアイコンが表示される。

今のところ回避方法は見つかっていない。

A List of What Cannot JCache do

Software Development Java
  • JCache cannot save the order of insertion. You should use LinkedHashMap for that purposes.
  • JCache cannot update whole entries in a cache atomically. You should use AtomicReference or some locking mechanisms for that purpose. (Ofcourse you can update a cache atomically if a cache has always only one reference.)
  • JCache doesn't offer read-write lock. You should use ReadWriteLock for that purpose.
  • JCache doesn't offer unmodifiable view of cache. You should use Collections.unmodifiableMap() for that purpose.

The meanings of word "cache" in software engineering

Software Development

I think the word "cache" has so many different meanings in different contexts like below.

Note: In this list, the word "invalidated" means the source of cached value might be changed.

  1. Something like the cache in web browsers. The cache stores the result of each operation that had already called (Typically, these operations had cost large resources). The values in the cache might be invalidated partially because some input is volatile, but not coherent.
  2. Something like the result of precomputation. The cache stores the result of operations that programmers specified (because it will cost large time or memory). It might not be invalidated.
  3. Something like memoization. The cache stores the result of each operation that the programmers specified and had already called. It might not be invalidated but might be discarded because of time-space tradeoff (e.g. weak reference in Java). It should be coherent.
  4. Something like the in-memory views in RDBMS. The cache stores the values in files or tables that programmers specified, in order to reduce the cost of access or implement read-only view. It might be invalidated and must be coherent. It must be updated atomically.
  5. Something like on-memory copy of files. The cache stores the values in files or tables that programmers specified, in order to reduce the cost of access. Sometimes it might be invalidated, but the programmers can control the timing of invalidation. The coherency doesn't matter, but it must be updated atomically.
  6. Something like cache on CPUs or L2ARC. The cache stores the data that had already accessed, in order to reduce the cost of access. It might be updated or invalidated. It must be coherent, but doesn't have to be updated atomically.
  7. (Not in the table below) Something like on-memory data stores (e.g. memcached). The cache stores the values that programmers specified. It might be updated and never be invalidated (sometimes values are only in the cache!). It doesn't have to be updated atomically.

I tried to organize these concepts in a table like below:

Target of Cache Invalidated? Coherent? Atomic? Example
1 each no no no Memoization
2 each no no yes Memoization
3 each no yes no Memoization
4 each no yes yes Memoization
5 each yes no no Cache in Web Browsers
6 each yes no yes Cache in Web Browsers
7 each yes yes no ?
8 each yes yes yes ?
9 whole no no no Precomputation
10 whole no no yes Precomputation
11 whole no yes no Precomputation
12 whole no yes yes Precomputation
13 whole yes no no ?
14 whole yes no yes On-memory Copy of Files
15 whole yes yes no CPU Cache or L2ARC
16 whole yes yes yes In-memory Views in RDBMS