XF 2.2 Is there a way to lock an account after X amount of failed login attempts?

PumpinIron

PumpinIron

Well-known member
My forum is suffering a problem as of lately with user accounts being hacked.

What's happening (near as I can tell) is that hackers from overseas are getting into members accounts by guessing their passwords. Since some of these guys have strong passwords I have to imagine they are doing this using a program that attempts to cycle through password combinations.

Once they get in to the members account they post a listing in the classified section and people end up sending them money via Zelle (stupid, I know) only to find out that it was a well known member who had their account hacked.

My thought is that if I could lock accounts after X amount of failed password attempts this might be somewhat of a security measure to hopefully prevent this.

Does such an add-on or feature exist or am I just missing it in the ACP?
 
Sort by date Sort by votes
Locks are placed on accounts which have incorrect password attempts.

The lock timer increases automatically each time there is a new incorrect attempt.
 
Upvote 0 Downvote
Paul B said:
Locks are placed on accounts which have incorrect password attempts.

The lock timer increases automatically each time there is a new incorrect attempt.
Click to expand...
Alright, then that really begs the question of how these well known members with strong passwords are getting their accounts hacked.
 
Upvote 0 Downvote
PumpinIron said:
Alright, then that really begs the question of how these well known members with strong passwords are getting their accounts hacked.
Click to expand...
If they have the same strong password for several sites and any one of those is compromised then the account hijacker can get straight in. So 2FA is good, or else you can batch update users to need to set a security lock, e.g. they must change/reset password.

I would do this for inactive users, but also batch email active users making them aware that they should not use passwords on more than one site and to change them from time to time. It's again but password management like 1 Password and Keychain can help.

Edit: this addon I think checks for compromised passwords :

xenforo.com

Password Tools

Password Tools Description Source This modification mostly follows the principles of Dan Wheelers password strength estimator zxcvbn. It does not weight password strength by their combination of upper/lower letters, special characters and...
xenforo.com xenforo.com
 
Last edited:
Upvote 0 Downvote
Mr Lucky said:
If they have the same strong password for several sites and any one of those is compromised then the account hijacker can get straight in. So 2FA is good, or else you can batch update users to need to set a security lock, e.g. they must change/reset password.

I would do this for inactive users, but also batch email active users making them aware that they should not use passwords on more than one site and to change them from time to time. It's again but password management like 1 Password and Keychain can help.

Edit: this addon I think checks for compromised passwords :

xenforo.com

Password Tools

Password Tools Description Source This modification mostly follows the principles of Dan Wheelers password strength estimator zxcvbn. It does not weight password strength by their combination of upper/lower letters, special characters and...
xenforo.com xenforo.com
Click to expand...
I was just going to recommend that addon. It surely does. If a breached password is found, it’ll alert the user.
 
Upvote 0 Downvote
I've got several users asking to use 2FA. It's enabled under the user group permissions in the ACP, but when you go to the front end, then to password and security, all you see is this:

Screen Shot 2023-10-13 at 7.29.45 AM.webp


What am I missing?
 
Upvote 0 Downvote
PumpinIron said:
I've got several users asking to use 2FA. It's enabled under the user group permissions in the ACP, but when you go to the front end, then to password and security, all you see is this:

View attachment 292411


What am I missing?
Click to expand...
Look here I think it walks you through it.

Security | Manual | XenForo

End-user documentation for XenForo
xenforo.com xenforo.com

Two-factor authentication#

Two factor authentication (2FA), or two-step verification, is an enhanced security system that requires users to provide an extra level of security when logging in to their accounts.

This may take the form of a code to be entered from an app such as Authy, Google Authenticator or the iCloud Password Manager, or clicking a link in an email sent to your users' registered email address etc.

The 2FA methods available in XenForo are listed at Setup > Service providers > Two-step verification.
Click to expand...
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

F
  • Solved
XF 1.5 Can't login to my forum with 2FA after iOS upgrade failed on my iPhone
Replies
14
Views
1K
NDavid
NDavid
alexm
  • Question Question
XF 2.2 Is there a way of getting users dates on the last password reset?
Replies
4
Views
735
digitalpoint
digitalpoint
Chernabog
  • Question Question
XF 2.2 Is there an add-on someone knows of or is it possible to give a person a code they could use at sign up to obtain a particular user group immediately?
Replies
1
Views
513
Paul B
Paul B
texkev
Add-on I need an addon that throws any change to a user account into moderation
Replies
1
Views
439
Blackbeard
Blackbeard
elsparkodiablo
  • Question Question
XF 2.2 Is there a way to see how the amount of disk space each member has used with regards to their attachment / media quota?
Replies
3
Views
427
hotdoghero
hotdoghero
Top Bottom