Not a bug account login lockout can be abused?

swatme

swatme

Well-known member
Hi guys

i saw this feature
options->user options->Login limit method

dont you think this can be abused by your enemies?
let say i hate @Mike so much, that i want him not be able to login..

what i will do is just, login his account with wrong password...
after 4 retries his account is now lockout, he cannot login at this specific time..

i think its better to lockout the ip address and not the username..

what do you think?
lockout.webp
 
I wouldn't call this a bug.

The lockout only lasts for 15 minutes. Even someone doing this maliciously to prevent someone else logging in is soon going to get bored as they'd have to make a fresh attempt every 15 minutes to get the account to lockout again.

I don't think the IP lockout is an idea, someone can easily use a whole range of proxies out there to bypass this.
 
Mike said:
The feature doesn't work the way it has been described in the first post. It is IP related.
Click to expand...

wow thanks mike, that was a relief knowing its ip related :-)
maybe a small note in admin panel under it "lockout will be based on ip address"

because by default, we thought its a general lockout..

thanks mike :-)
 

Similar threads

K
Image proxy can be abused too easily
Replies
1
Views
76
Chromaniac
Chromaniac
Triops
Check account/login from external php application
Replies
9
Views
6K
ManOnDaMoon
ManOnDaMoon
Back
Top Bottom