Not a bug account login lockout can be abused?

swatme · Jun 19, 2015

Hi guys

i saw this feature
options->user options->Login limit method

dont you think this can be abused by your enemies?
let say i hate @Mike so much, that i want him not be able to login..

what i will do is just, login his account with wrong password...
after 4 retries his account is now lockout, he cannot login at this specific time..

i think its better to lockout the ip address and not the username..

what do you think?

Martok · Jun 19, 2015

I wouldn't call this a bug.

The lockout only lasts for 15 minutes. Even someone doing this maliciously to prevent someone else logging in is soon going to get bored as they'd have to make a fresh attempt every 15 minutes to get the account to lockout again.

I don't think the IP lockout is an idea, someone can easily use a whole range of proxies out there to bypass this.

Mike · Jun 19, 2015

The feature doesn't work the way it has been described in the first post. It is IP related.

swatme · Jun 20, 2015

Mike said:
The feature doesn't work the way it has been described in the first post. It is IP related.

wow thanks mike, that was a relief knowing its ip related

maybe a small note in admin panel under it "lockout will be based on ip address"

because by default, we thought its a general lockout..

thanks mike

Not a bug account login lockout can be abused?

swatme

Well-known member

Martok

Well-known member

Mike

XenForo developer

swatme

Well-known member

Similar threads

We value your privacy