Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
cualupe Posted December 28, 2015 Posted December 28, 2015 Is there a way to increase the number of login attempts before an account is locked out? And how long does an account stay locked out for when they enter a wrong password? Where can I manage this information?
Rheddy Posted December 28, 2015 Posted December 28, 2015 You should be able to set this option in your ACP. I have mine set up where if a user's account is locked, the system will unlock after 15 minutes. But, I think admin's should leave it locked until user contacts the admin, to prevent hackers from deliberately locking forum accounts.
Nathan Explosion Posted December 28, 2015 Posted December 28, 2015 7 hours ago, cualupe said: Is there a way to increase the number of login attempts before an account is locked out? And how long does an account stay locked out for when they enter a wrong password? Where can I manage this information? ACP -> System -> (Settings) Login Handlers -> Login Settings
cualupe Posted December 28, 2015 Author Posted December 28, 2015 Thanks @Morisato and @Nathan Explosion Don't know why I didn't notice that section - I guess the title didn't make it obvious.
Rheddy Posted December 29, 2015 Posted December 29, 2015 The problem I ran into is that while the automatic unlock was fine for IPS3 (the chances of a user discovering the login was rare). But, this isn't true for IPS4. It just takes a rogue user visiting your site to decide to wrongly log into your account, which locks it up. If there was a way to disable this from happening, I would definitely welcome it. But, as someone who actively protects his members from such things, its security that I try to maintain. I think this may have been an oversight with IPS.
cualupe Posted December 29, 2015 Author Posted December 29, 2015 Wow, that's stupid. I didn't think that people could lock other people's accounts. Hopefully no-one clues on to this and acts like a wanker on the forum.
chilihead Posted December 29, 2015 Posted December 29, 2015 Switch your login handler to email only, then no one can do that unless they know the email, this also prevents bots from running password scripts based on the member names.
cualupe Posted December 29, 2015 Author Posted December 29, 2015 Nah that won't work on my forum. Too many existing members used to doing things one way.
chilihead Posted December 29, 2015 Posted December 29, 2015 Honestly it's not a big deal. I also believe they keep their emails up to date because they log in with them. If they log in with a username for 5 years chances are they don't. Once you change it, they are still logged in. When logged out and they go to log in, if they enter their username, it fails, and in the error message it says to enter email. In your language just put email address in big bold red letters. You could even add a message like "We now require..." You will not receive any messages. (maybe a few...)
cualupe Posted December 29, 2015 Author Posted December 29, 2015 I'll leave it as username login until something goes down (which will hopefully be never).
chilihead Posted December 29, 2015 Posted December 29, 2015 You can set it as "display name or email address" actually. So if you ever change it, some people already transitioned on their own. Just a tip, not trying to impress it upon you.
cualupe Posted December 29, 2015 Author Posted December 29, 2015 Yeah all good I appreciate someone responding! Thanks
.jpg.1b50bf49d844acde95871bed2b9d6cd2.thumb.jpg.dbcd1b0e7d6d922d3206588da25d888d.jpg)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.