Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Problems with account lockout implementation
05-24-2012, 12:42 PM
Post: #1
Problems with account lockout implementation
The design of the account lockout functionality seems to be a little naive and in the worst case, exposes the application to potential denial of service, as well as potential exposure of valid accounts.

Since at least one account has a fixed username (admin) created at install time, there's a high probability that account will be in use and will be an admin account - possibly the only admin account.

I suggest a more flexible approach that will maintain security with reduced potential for DoS:

Limit attempts per IP and per session cookie to 5 unsuccessful attempts in 15 minutes. After 5 attempts, further attempts simply fail with the same error as they would with invalid username or password.

Limit attempts per username (and track this even if the username isn't valid so that it's not possible to infer which usernames correspond to accounts). Rather than locking the account out after 5 attempts, display a CAPTCHA before the user can log in. After 20 attempts, require a token code to be sent to the user's email for each attempt.
Find all posts by this user
Quote this message in a reply
11-22-2012, 09:59 AM
Post: #2
RE: Problems with account lockout implementation
Well would be very silly to leave the admin account there IMHO as admin....
After 5 (or any number you can set in includes/session.inc) consequtive incorrect username password combos the account is blocked completely.
If the username is not even recognised you can keep on trying.

There are a lot of ways to do this - happy to incorporate any mods you submit.

Phil Daintree
webERP Admin
Logic Works Ltd
http://www.logicworks.co.nz
Visit this user's website Find all posts by this user
Quote this message in a reply
11-07-2015, 06:42 PM
Post: #3
RE: Problems with account lockout implementation
option to give the name of the data base please suggest.
จีคลับ
Find all posts by this user
Quote this message in a reply
11-07-2015, 08:03 PM
Post: #4
RE: Problems with account lockout implementation
(11-07-2015 06:42 PM)dezeni11 Wrote:  option to give the name of the data base please suggest.
จีคลับ

In config.php change the value of $AllowCompanySelectionBox to 'ShowInputBox'

Tim
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)