Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted December 28, 20159 yr Is there a way to increase the number of login attempts before an account is locked out? And how long does an account stay locked out for when they enter a wrong password? Where can I manage this information?
December 28, 20159 yr You should be able to set this option in your ACP. I have mine set up where if a user's account is locked, the system will unlock after 15 minutes. But, I think admin's should leave it locked until user contacts the admin, to prevent hackers from deliberately locking forum accounts.
December 28, 20159 yr 7 hours ago, cualupe said: Is there a way to increase the number of login attempts before an account is locked out? And how long does an account stay locked out for when they enter a wrong password? Where can I manage this information? ACP -> System -> (Settings) Login Handlers -> Login Settings
December 28, 20159 yr Author Thanks @Morisato and @Nathan Explosion Don't know why I didn't notice that section - I guess the title didn't make it obvious.
December 29, 20159 yr The problem I ran into is that while the automatic unlock was fine for IPS3 (the chances of a user discovering the login was rare). But, this isn't true for IPS4. It just takes a rogue user visiting your site to decide to wrongly log into your account, which locks it up. If there was a way to disable this from happening, I would definitely welcome it. But, as someone who actively protects his members from such things, its security that I try to maintain. I think this may have been an oversight with IPS.
December 29, 20159 yr Author Wow, that's stupid. I didn't think that people could lock other people's accounts. Hopefully no-one clues on to this and acts like a wanker on the forum.
December 29, 20159 yr Switch your login handler to email only, then no one can do that unless they know the email, this also prevents bots from running password scripts based on the member names.
December 29, 20159 yr Author Nah that won't work on my forum. Too many existing members used to doing things one way.
December 29, 20159 yr Honestly it's not a big deal. I also believe they keep their emails up to date because they log in with them. If they log in with a username for 5 years chances are they don't. Once you change it, they are still logged in. When logged out and they go to log in, if they enter their username, it fails, and in the error message it says to enter email. In your language just put email address in big bold red letters. You could even add a message like "We now require..." You will not receive any messages. (maybe a few...)
December 29, 20159 yr Author I'll leave it as username login until something goes down (which will hopefully be never).
December 29, 20159 yr You can set it as "display name or email address" actually. So if you ever change it, some people already transitioned on their own. Just a tip, not trying to impress it upon you.
Archived
This topic is now archived and is closed to further replies.