Lock user account after how many failed login attempts.

[AlexJ]

When users enter wrong password 5 times their accounts get locked out. But it never shows to him that his account is locked for 15 mins or for how many minutes board admin chooses.

I think board should at least show him how many attempts he still can make before his account get locked. Sometimes people just keep trying and trying but they never realize after 3 wrong trials there account is locked.

Would also like to suggest new feature that if more then 3 fail attempts are made user would received e-mail from which IP those 3 attempts are made on the email which is associated to his account.

I looked all the way but was not able to find that feature. If it is already their someone point me how to enable it.

[Morrigan]

This one is difficult for me to agree with because this could be a security risk in so many ways. >_<

[AlexJ]

[quote name='Morrigan' date='09 November 2009 - 06:30 PM' timestamp='1257791415' post='1877473']
This one is difficult for me to agree with because this could be a security risk in so many ways. >_<


How? Please explain.

[Morrigan]

Well if a member knows how many attempts they have to attempt someone's password they can brute force an account easier. So you're told "You have 2 more attempts, 1 more attempts 0 attempts for 15 minutes" etc then the person KNOWS that any attempt that they are doing while the account is locked isn't going to work so there isn't a point in trying. If they don't then they could still be trying, get it right ans STILL not get logged in and not know that they got it right.

I hope that makes sense because it makes sense in my head but trying to explain it is a little more difficult.