How to reduce account lockout helpdesk calls?

The basic and best way to reduce the account lockout helpdesk calls is by configuring the account lockout and password policies in a balanced manner. While configuring these policies,we will be in an amoebic condition, such that if we try to give importance to security,then our work will be affected and vice versa. Therefore for configuring these policies, we need a balance, as a result both our work and security will not be compromised. To make it more clear,let us see about configuring some critical settings in account lockout and password policies.

  • If we set the "Account lockout threshold" to zero,no matter how many invalid login attempts we make, user accounts will be never lockedout.Thus it reduces helpdesk calls,but it makes us unaware of the brute-force and dictionary attacks on our user accounts, as a result we will be in a security breach.

Also false lockouts can occur if you set the "Account lockout threshold" lower than the default value of 10. This is because users and programs can retry bad passwords frequently enough to lock out the user account. This adds additional helpdesk calls. So it is recommended to set a high value to the "Account lockout threshold", such as more than 10 invalid logon attempts and this will greatly reduce the helpdesk calls.

  • Similarly for "Account lockout threshold",if you set a high value, then during that time hackers cannot perform brute force attacks on your user accounts, but it costs(affects) your users' work. If you set this value to zero, then the locked out user account can be only manually unlocked. Although this increases security, it increases helpdesk calls, thereby costs the time involved in solving the issue by the helpdesk. So it is recommended to set a low value to the "Account lockout Duration" to reduce the helpdesk calls.
  • Configure the password complexity, password length settings carefully to protect user accounts from dictionary attacks.
  • Regularly change the password by configuring "Maximum Password Age", which makes the hackers unable to guess your password.

These best practices will greatly reduces account lockout helpdesk calls.