Account Locked

[Cool Surfer]

Hi
I just noticed that you cant login after your account has been locked after
a particular no of attempts for particular amount of time.

The error returned was:

Sorry, your account has been locked due to an excessive number of failed login attempts within a defined period. Your account will automatically be unlocked in 14 minutes

Is it not possible to login with correct id n pwdafter the account has been locked?

Secondly

If account locking feature is enabled on a particular forum, can any one lock any member
by entering wrong pwd ?

[Mesmer]

- not possible to login with the correct id+pw when the account has been locked
- account locking is connected to your ip-adress, so you can't lock someone else his/her account.

[Cool Surfer]

So account locking wont work if you are using a proxy server that changes your ip
every other minute?

[Charles]

Most things don't work if you have a proxy server that changes your IP every other minute :)

[bfarber]

We linked account locking to IP address purely so an account can't be bruteforced. We also didn't want members to be able to lock all the admin accounts out of spite, with the admin having no way to get back in. ;)

We won't remove the IP-tracking, as then anyone could lock anyone's account which would be chaos.

[bfarber]

Note, you can also set a time-based limit on the account locking - so that after x amount of time you can try to login again.

[Cool Surfer]

We linked account locking to IP address purely so an account can't be bruteforced. We also didn't want members to be able to lock all the admin accounts out of spite, with the admin having no way to get back in. ;)

We won't remove the IP-tracking, as then anyone could lock anyone's account which would be chaos.

I am a bit confused here. I just locked my own second admin account. I know it will be unlocked
after the set time limit. BUT ...

One problem ... a person trying to login as admin, wont be logged in at that time. Right?
So how will the software know not to lock admin account. It could very well be a hacker trying
different pwds. Or am I missing something here?

[Mesmer]

The account is locked for the users IP address. So when I try to hack your account I'm getting locked. You will be able to login with the correct info from another/ your IP address.

[xcom923]

if the admin account is locked it will be locked from the one trying to get in. If someone else has the user and pass it will work for them even if it's locked.

[Cool Surfer]

The account is locked for the users IP address. So when I try to hack your account I'm getting locked. You will be able to login with the correct info from another/ your IP address.

So if I use a proxy server to hack into ur account, will I be able to try unlimited no of times?

[Millar]

So if I use a proxy server to hack into ur account, will I be able to try unlimited no of times?

Most likely, if the address always changes...

[Cool Surfer]

Most likely, if the address always changes...

I dont think so that this is happening. You get locked after 3 attempts(if set to 3)
no matter what your ip is.

Or is it the PC hardware stamp that is being used?

[bfarber]

It is the IP. We've tested it locally succesfully. I had Keith lock my account from his pc, and then I was still able to login.

[Millar]

If you lock an account on your PC does that mean you can login to a different account?

If so I think it should just lock you from all accounts..

[Grant]

Honestly it really doesn't matter because the account lockout feature only disallows access for the users computer and not the other way around. So even if they lock all the accounts in your forum it doesn't affect the user accounts at all... It simply disallows him from logging into the account from his PC.

[Cool Surfer]

If you lock an account on your PC does that mean you can login to a different account?

If so I think it should just lock you from all accounts..

No it doesnt lock u out from the forum for any id. It locks u from trying just that id.

[bfarber]

What if you are an admin, and accidentally lock your own account (but have a backup admin account). If it locked you completely from the IP, you wouldn't be able to use your backup account to get back in.

The idea is to stop bruteforce scripts from trying to get in. If someone is willing to take 3 (or 5 or whatever) stabs at every account on your forum, you might notice this in your accounts locked queue in the ACP and ban them I'd say. But I wouldn't think there'd be any more or less security risk if they can login to a second account.

[Cool Surfer]

So what I gather is ... if some one uses a good proxy server , something like proxyrama
which changes its ip with each refresh, then he can brute force?

[Cool Surfer]

Most likely a professional hacker/brute forcer will use such a proxy program to go thro multiple proxies.

[.Jack]

There aren't enough proxies in the world for a "hacker" to successfully bruteforce your pass, believe me. There ESPECIALLY aren't enough proxies on this proxyrama site you talk about.

Bruteforcing a pass can potentially take hundreds and hundreds of millions of attempts before a sucessful collision.

[Cool Surfer]

There aren't enough proxies in the world for a "hacker" to successfully bruteforce your pass, believe me. There ESPECIALLY aren't enough proxies on this proxyrama site you talk about.

Bruteforcing a pass can potentially take hundreds and hundreds of millions of attempts before a sucessful collision.

I know proxyrama is sort of obsolete now that google changed the search syntax.

[Guest]

i think the vbulletin account locking feature is better, they lock out the account for 15 minutes after 5 failed attempts and that is a lock regardless of the ip-address, after 15 minutes you can try again: so rather painless and pretty effective against brute forcing.

[bfarber]

Problem with that is, I could go to your forum and try to login as you, incorrectly, 5 times and you're locked.

I do that to all the admins and the mods, and bam - no one can stop me from what I want to do on the site. If I'm ambitious enough, I can keep timing the 15 minutes and keep doing it.

Tied to the IP - members can't do that. I, personally, wouldn't want members on my board locking all the admin accounts so they can play with no body to enforce the rules.

You CAN set a time-limit to the locking in the ACP - so the only difference between the current implementation and what you are saying is that the lockout is tied to the account per IP.