How to change login attempts from 1 failed = locked

[cualupe]

Is there a way to increase the number of login attempts before an account is locked out?

And how long does an account stay locked out for when they enter a wrong password?

Where can I manage this information?

[Rheddy]

You should be able to set this option in your ACP. I have mine set up where if a user's account is locked, the system will unlock after 15 minutes. But, I think admin's should leave it locked until user contacts the admin, to prevent hackers from deliberately locking forum accounts.

[Nathan Explosion]

7 hours ago, cualupe said:

Is there a way to increase the number of login attempts before an account is locked out?

And how long does an account stay locked out for when they enter a wrong password?

Where can I manage this information?

ACP -> System -> (Settings) Login Handlers -> Login Settings

[cualupe]

Thanks @Morisato and @Nathan Explosion

Don't know why I didn't notice that section - I guess the title didn't make it obvious.

[Rheddy]

The problem I ran into is that while the automatic unlock was fine for IPS3 (the chances of a user discovering the login was rare). But, this isn't true for IPS4. It just takes a rogue user visiting your site to decide to wrongly log into your account, which locks it up. If there was a way to disable this from happening, I would definitely welcome it. But, as someone who actively protects his members from such things, its security that I try to maintain. I think this may have been an oversight with IPS.

 

[cualupe]

Wow, that's stupid.

I didn't think that people could lock other people's accounts. Hopefully no-one clues on to this and acts like a wanker on the forum.

[chilihead]

Switch your login handler to email only, then no one can do that unless they know the email, this also prevents bots from running password scripts based on the member names.

[cualupe]

Nah that won't work on my forum. Too many existing members used to doing things one way.

 

[chilihead]

Honestly it's not a big deal. I also believe they keep their emails up to date because they log in with them. If they log in with a username for 5 years chances are they don't. Once you change it, they are still logged in. When logged out and they go to log in, if they enter their username, it fails, and in the error message it says to enter email. In your language just put email address in big bold red letters. You could even add a message like "We now require..." You will not receive any messages.  (maybe a few...)

[cualupe]

I'll leave it as username login until something goes down (which will hopefully be never).

[chilihead]

You can set it as "display name or email address" actually. So if you ever change it, some people already transitioned on their own. Just a tip, not trying to impress it upon you.  

[cualupe]

Yeah all good I appreciate someone responding!

Thanks