1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Not a Bug account login lockout can be abused?

Discussion in 'Resolved Bug Reports' started by swatme, Jun 19, 2015.

  1. swatme

    swatme Well-Known Member

    Hi guys

    i saw this feature
    options->user options->Login limit method

    dont you think this can be abused by your enemies?
    let say i hate @Mike so much, that i want him not be able to login..

    what i will do is just, login his account with wrong password...
    after 4 retries his account is now lockout, he cannot login at this specific time..

    i think its better to lockout the ip address and not the username..

    what do you think?
  2. Martok

    Martok Well-Known Member

    I wouldn't call this a bug.

    The lockout only lasts for 15 minutes. Even someone doing this maliciously to prevent someone else logging in is soon going to get bored as they'd have to make a fresh attempt every 15 minutes to get the account to lockout again.

    I don't think the IP lockout is an idea, someone can easily use a whole range of proxies out there to bypass this.
  3. Mike

    Mike XenForo Developer Staff Member

    The feature doesn't work the way it has been described in the first post. It is IP related.
    Amaury likes this.
  4. swatme

    swatme Well-Known Member

    wow thanks mike, that was a relief knowing its ip related :)
    maybe a small note in admin panel under it "lockout will be based on ip address"

    because by default, we thought its a general lockout..

    thanks mike :)

Share This Page