• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Not a bug account login lockout can be abused?

swatme

Well-known member
#1
Hi guys

i saw this feature
options->user options->Login limit method

dont you think this can be abused by your enemies?
let say i hate @Mike so much, that i want him not be able to login..

what i will do is just, login his account with wrong password...
after 4 retries his account is now lockout, he cannot login at this specific time..

i think its better to lockout the ip address and not the username..

what do you think?
lockout.jpg
 

Martok

Well-known member
#2
I wouldn't call this a bug.

The lockout only lasts for 15 minutes. Even someone doing this maliciously to prevent someone else logging in is soon going to get bored as they'd have to make a fresh attempt every 15 minutes to get the account to lockout again.

I don't think the IP lockout is an idea, someone can easily use a whole range of proxies out there to bypass this.
 

swatme

Well-known member
#4
The feature doesn't work the way it has been described in the first post. It is IP related.
wow thanks mike, that was a relief knowing its ip related :)
maybe a small note in admin panel under it "lockout will be based on ip address"

because by default, we thought its a general lockout..

thanks mike :)