Makoto Posted October 22, 2015 Posted October 22, 2015 The default maximum number of login attempts allowed on new installations before an account is locked is currently 3. After making 3 failed login attempts, the account is locked for 15 minutes. Please increase the default to something more reasonable, like 10. Someone is not going to brute force an account with 10 requests every 15 minutes. They're just not. If you increase this to something more reasonable you could even get away with reasonably doubling the lockout to 30 minutes without causing legitimate users problems. But please don't leave this at 3. I absolutely detest websites that have such unreasonable login systems. There is no sensible reason to block someone out after making 3 failed login attempts. It's not even reasonable to force captcha input after so few login attempts. Normal, everyday users forget passwords all the time. Unless you use the same password on every single website, this is normal. Sometimes people have to guess through a set of passwords before they get the right one. Getting locked out or being forced to supply captcha input when you don't get the correct login after a mere few attempts is immensely frustrating. Frustrating enough that I often just end up saying "sod this, I'll do whatever I was going to do on this site later" when it happens. t;ldr please don't create more websites that have oppressive login restrictions by default, set the default settings to something more reasonable. Please.
Paul.F Posted October 23, 2015 Posted October 23, 2015 If you are talking about a new installation, changing the amount of login attempts is so easy it isn't worth the complaint. If you are talking about this website, well to be honest if you get your login details wrong 3 times then you may need a 15 min break.
Makoto Posted October 23, 2015 Author Posted October 23, 2015 2 hours ago, Paul.F said: If you are talking about a new installation, changing the amount of login attempts is so easy it isn't worth the complaint. Yes, it is worth requesting be changed. Just because it's easy to change yourself doesn't mean it should be left at such an unreasonable default value. The average administrator probably doesn't think twice about this setting, nor do they realize the amount of frustration things like this cause end users. For the most part that frustration is transparent to the administrators, because if someone is too frustrated to log in to your website, they're quite unlikely to be bothered to send in a complaint about it. 2 hours ago, Paul.F said: If you are talking about this website, well to be honest if you get your login details wrong 3 times then you may need a 15 min break. That's utter nonsense.
Hitori Bocchi Posted November 7, 2015 Posted November 7, 2015 Have there been any changes in 4.1 regarding this?
Recommended Posts
Archived
This topic is now archived and is closed to further replies.