Account Locked

Cool Surfer · November 2, 2006

Hi
I just noticed that you cant login after your account has been locked after
a particular no of attempts for particular amount of time.

The error returned was:

Sorry, your account has been locked due to an excessive number of failed login attempts within a defined period. Your account will automatically be unlocked in 14 minutes

Is it not possible to login with correct id n pwdafter the account has been locked?

Secondly

If account locking feature is enabled on a particular forum, can any one lock any member
by entering wrong pwd ?

Mesmer · November 2, 2006

- not possible to login with the correct id+pw when the account has been locked
- account locking is connected to your ip-adress, so you can't lock someone else his/her account.

Cool Surfer · November 2, 2006

So account locking wont work if you are using a proxy server that changes your ip
every other minute?

Charles · November 2, 2006

Most things don't work if you have a proxy server that changes your IP every other minute :)

bfarber · November 2, 2006

We linked account locking to IP address purely so an account can't be bruteforced. We also didn't want members to be able to lock all the admin accounts out of spite, with the admin having no way to get back in. ;)

We won't remove the IP-tracking, as then anyone could lock anyone's account which would be chaos.

bfarber · November 2, 2006

Note, you can also set a time-based limit on the account locking - so that after x amount of time you can try to login again.

Cool Surfer · November 6, 2006

We linked account locking to IP address purely so an account can't be bruteforced. We also didn't want members to be able to lock all the admin accounts out of spite, with the admin having no way to get back in. ;)

We won't remove the IP-tracking, as then anyone could lock anyone's account which would be chaos.

I am a bit confused here. I just locked my own second admin account. I know it will be unlocked
after the set time limit. BUT ...

One problem ... a person trying to login as admin, wont be logged in at that time. Right?
So how will the software know not to lock admin account. It could very well be a hacker trying
different pwds. Or am I missing something here?

Mesmer · November 6, 2006

The account is locked for the users IP address. So when I try to hack your account I'm getting locked. You will be able to login with the correct info from another/ your IP address.

xcom923 · November 6, 2006

if the admin account is locked it will be locked from the one trying to get in. If someone else has the user and pass it will work for them even if it's locked.

Cool Surfer · November 6, 2006

The account is locked for the users IP address. So when I try to hack your account I'm getting locked. You will be able to login with the correct info from another/ your IP address.

So if I use a proxy server to hack into ur account, will I be able to try unlimited no of times?

Millar · November 6, 2006

So if I use a proxy server to hack into ur account, will I be able to try unlimited no of times?

Most likely, if the address always changes...

Cool Surfer · November 6, 2006

Most likely, if the address always changes...

I dont think so that this is happening. You get locked after 3 attempts(if set to 3)
no matter what your ip is.

Or is it the PC hardware stamp that is being used?

bfarber · November 6, 2006

It is the IP. We've tested it locally succesfully. I had Keith lock my account from his pc, and then I was still able to login.

Millar · November 7, 2006

If you lock an account on your PC does that mean you can login to a different account?

If so I think it should just lock you from all accounts..

Grant · November 7, 2006

Honestly it really doesn't matter because the account lockout feature only disallows access for the users computer and not the other way around. So even if they lock all the accounts in your forum it doesn't affect the user accounts at all... It simply disallows him from logging into the account from his PC.

Cool Surfer · November 7, 2006

If you lock an account on your PC does that mean you can login to a different account?

If so I think it should just lock you from all accounts..

No it doesnt lock u out from the forum for any id. It locks u from trying just that id.

bfarber · November 7, 2006

What if you are an admin, and accidentally lock your own account (but have a backup admin account). If it locked you completely from the IP, you wouldn't be able to use your backup account to get back in.

The idea is to stop bruteforce scripts from trying to get in. If someone is willing to take 3 (or 5 or whatever) stabs at every account on your forum, you might notice this in your accounts locked queue in the ACP and ban them I'd say. But I wouldn't think there'd be any more or less security risk if they can login to a second account.

Cool Surfer · November 7, 2006

So what I gather is ... if some one uses a good proxy server , something like proxyrama
which changes its ip with each refresh, then he can brute force?

Cool Surfer · November 7, 2006

Most likely a professional hacker/brute forcer will use such a proxy program to go thro multiple proxies.

.Jack · November 7, 2006

There aren't enough proxies in the world for a "hacker" to successfully bruteforce your pass, believe me. There ESPECIALLY aren't enough proxies on this proxyrama site you talk about.

Bruteforcing a pass can potentially take hundreds and hundreds of millions of attempts before a sucessful collision.

Cool Surfer · November 7, 2006

There aren't enough proxies in the world for a "hacker" to successfully bruteforce your pass, believe me. There ESPECIALLY aren't enough proxies on this proxyrama site you talk about.

Bruteforcing a pass can potentially take hundreds and hundreds of millions of attempts before a sucessful collision.

I know proxyrama is sort of obsolete now that google changed the search syntax.

November 7, 2006

i think the vbulletin account locking feature is better, they lock out the account for 15 minutes after 5 failed attempts and that is a lock regardless of the ip-address, after 15 minutes you can try again: so rather painless and pretty effective against brute forcing.

bfarber · November 7, 2006

Problem with that is, I could go to your forum and try to login as you, incorrectly, 5 times and you're locked.

I do that to all the admins and the mods, and bam - no one can stop me from what I want to do on the site. If I'm ambitious enough, I can keep timing the 15 minutes and keep doing it.

Tied to the IP - members can't do that. I, personally, wouldn't want members on my board locking all the admin accounts so they can play with no body to enforce the rules.

You CAN set a time-limit to the locking in the ACP - so the only difference between the current implementation and what you are saying is that the lockout is tied to the account per IP.

Five Invision Community 5 features your team will love

Five Invision Community 5 features your members will love

Invision Community 4: SEO, prepare for v5 and dormant account notifications

Invision Community 5: Beta testing and latest updates

Account Locked

Recommended Posts

Cool Surfer

Mesmer

Cool Surfer

Charles

bfarber

bfarber

Cool Surfer

Mesmer

xcom923

Cool Surfer

Millar

Cool Surfer

bfarber

Millar

Grant

Cool Surfer

bfarber

Cool Surfer

Cool Surfer

.Jack

Cool Surfer

Guest

bfarber

Archived

Recently Browsing 0 members

More