XF 2.2 Is there a way to lock an account after X amount of failed login attempts?

PumpinIron

PumpinIron

Well-known member
My forum is suffering a problem as of lately with user accounts being hacked.

What's happening (near as I can tell) is that hackers from overseas are getting into members accounts by guessing their passwords. Since some of these guys have strong passwords I have to imagine they are doing this using a program that attempts to cycle through password combinations.

Once they get in to the members account they post a listing in the classified section and people end up sending them money via Zelle (stupid, I know) only to find out that it was a well known member who had their account hacked.

My thought is that if I could lock accounts after X amount of failed password attempts this might be somewhat of a security measure to hopefully prevent this.

Does such an add-on or feature exist or am I just missing it in the ACP?
 
Sort by date Sort by votes
Locks are placed on accounts which have incorrect password attempts.

The lock timer increases automatically each time there is a new incorrect attempt.
 
Upvote 0 Downvote
Paul B said:
Locks are placed on accounts which have incorrect password attempts.

The lock timer increases automatically each time there is a new incorrect attempt.
Click to expand...
Alright, then that really begs the question of how these well known members with strong passwords are getting their accounts hacked.
 
Upvote 0 Downvote
PumpinIron said:
Alright, then that really begs the question of how these well known members with strong passwords are getting their accounts hacked.
Click to expand...
If they have the same strong password for several sites and any one of those is compromised then the account hijacker can get straight in. So 2FA is good, or else you can batch update users to need to set a security lock, e.g. they must change/reset password.

I would do this for inactive users, but also batch email active users making them aware that they should not use passwords on more than one site and to change them from time to time. It's again but password management like 1 Password and Keychain can help.

Edit: this addon I think checks for compromised passwords :

xenforo.com

Password Tools

Password Tools Description Source This modification mostly follows the principles of Dan Wheelers password strength estimator zxcvbn. It does not weight password strength by their combination of upper/lower letters, special characters and...
xenforo.com xenforo.com
 
Last edited:
Upvote 0 Downvote
Mr Lucky said:
If they have the same strong password for several sites and any one of those is compromised then the account hijacker can get straight in. So 2FA is good, or else you can batch update users to need to set a security lock, e.g. they must change/reset password.

I would do this for inactive users, but also batch email active users making them aware that they should not use passwords on more than one site and to change them from time to time. It's again but password management like 1 Password and Keychain can help.

Edit: this addon I think checks for compromised passwords :

xenforo.com

Password Tools

Password Tools Description Source This modification mostly follows the principles of Dan Wheelers password strength estimator zxcvbn. It does not weight password strength by their combination of upper/lower letters, special characters and...
xenforo.com xenforo.com
Click to expand...
I was just going to recommend that addon. It surely does. If a breached password is found, it’ll alert the user.
 
Upvote 0 Downvote
I've got several users asking to use 2FA. It's enabled under the user group permissions in the ACP, but when you go to the front end, then to password and security, all you see is this:

Screen Shot 2023-10-13 at 7.29.45 AM.webp


What am I missing?
 
Upvote 0 Downvote
PumpinIron said:
I've got several users asking to use 2FA. It's enabled under the user group permissions in the ACP, but when you go to the front end, then to password and security, all you see is this:

View attachment 292411


What am I missing?
Click to expand...
Look here I think it walks you through it.

Security | Manual | XenForo

End-user documentation for XenForo
xenforo.com xenforo.com

Two-factor authentication#

Two factor authentication (2FA), or two-step verification, is an enhanced security system that requires users to provide an extra level of security when logging in to their accounts.

This may take the form of a code to be entered from an app such as Authy, Google Authenticator or the iCloud Password Manager, or clicking a link in an email sent to your users' registered email address etc.

The 2FA methods available in XenForo are listed at Setup > Service providers > Two-step verification.
Click to expand...
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

elsparkodiablo
  • Question Question
XF 2.2 Is there a way to see how the amount of disk space each member has used with regards to their attachment / media quota?
Replies
3
Views
439
hotdoghero
hotdoghero
Carlos
  • Question Question
XF 1.1 Is there a way to edit the length of time for edits?
Replies
8
Views
2K
Jake Bunce
Jake Bunce
Back
Top Bottom