1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed Lock out happening on the sixth attempt, not the fourth

Discussion in 'Resolved Bug Reports' started by imthebest, Sep 1, 2014.

  1. imthebest

    imthebest Formerly Super120

    It says in the control panel: "If a user fails to log in 4 or more times in a 15 minute period, this method will be used to prevent brute force attacks."

    First problem is that it's not clear in the phrase if the account will be locket out on the fourth or fifth attempt. The second problem is a bug that I have just been able to reproduce here at XenForo.com:

    Try to login with a wrong password multiple times and you'll see that you're allowed to fail 5 times (the fifth attempt is the latest chance you have to login). On the sixth attempt even if you enter the correct password it will not work and you'll get the locked out error message. If the fifth attempt is the latest chance you have to login then after failing on the fifth attempt the system should display the locked out error message and not wait until the sixth attempt to show that because the sixth attempt will be useless anyway.

    By the way now that you're going to modify the code for this could you include a message on the let's say third failed attempt telling the user that he has 2 more tries before his account gets locked out?
     
  2. Mike

    Mike XenForo Developer Staff Member

    Fixed the code to be >=4 logged entries rather than >4 to be consistent with the text. The text seems pretty clear to me -- it requires 4 or more failed attempts. Which would mean the 5 attempt would be blocked.
     
  3. Martok

    Martok Well-Known Member

    Shouldn't it just be, "If a user fails to log in 4 times in a 15 minute period..."? They can't have more than 4 failed attempts as the fifth attempt will be blocked.
     
    imthebest likes this.
  4. imthebest

    imthebest Formerly Super120

    Yeah I'm with @Martok just make the phrase simpler to understand... not everybody like maths!!! :cry:
     
  5. Mike

    Mike XenForo Developer Staff Member

    The (previous) default method allows them to continue by completing a CAPTCHA.
     
    Martok likes this.

Share This Page