Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Problems with account lockout implementation
05-24-2012, 12:42 PM,
#1
Problems with account lockout implementation
The design of the account lockout functionality seems to be a little naive and in the worst case, exposes the application to potential denial of service, as well as potential exposure of valid accounts.

Since at least one account has a fixed username (admin) created at install time, there's a high probability that account will be in use and will be an admin account - possibly the only admin account.

I suggest a more flexible approach that will maintain security with reduced potential for DoS:

Limit attempts per IP and per session cookie to 5 unsuccessful attempts in 15 minutes. After 5 attempts, further attempts simply fail with the same error as they would with invalid username or password.

Limit attempts per username (and track this even if the username isn't valid so that it's not possible to infer which usernames correspond to accounts). Rather than locking the account out after 5 attempts, display a CAPTCHA before the user can log in. After 20 attempts, require a token code to be sent to the user's email for each attempt.








Reply
11-22-2012, 09:59 AM,
#2
RE: Problems with account lockout implementation
Well would be very silly to leave the admin account there IMHO as admin....
After 5 (or any number you can set in includes/session.inc) consequtive incorrect username password combos the account is blocked completely.
If the username is not even recognised you can keep on trying.

There are a lot of ways to do this - happy to incorporate any mods you submit.
Phil Daintree
webERP Admin
Logic Works Ltd
http://www.logicworks.co.nz
Reply
11-07-2015, 06:42 PM,
#3
RE: Problems with account lockout implementation
option to give the name of the data base please suggest.
จีคลับ
Reply
11-07-2015, 08:03 PM,
#4
RE: Problems with account lockout implementation
(11-07-2015, 06:42 PM)dezeni11 Wrote: option to give the name of the data base please suggest.
จีคลับ

In config.php change the value of $AllowCompanySelectionBox to 'ShowInputBox'

Tim
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)