• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed Lock out happening on the sixth attempt, not the fourth

imthebest

Formerly Super120
#1
It says in the control panel: "If a user fails to log in 4 or more times in a 15 minute period, this method will be used to prevent brute force attacks."

First problem is that it's not clear in the phrase if the account will be locket out on the fourth or fifth attempt. The second problem is a bug that I have just been able to reproduce here at XenForo.com:

Try to login with a wrong password multiple times and you'll see that you're allowed to fail 5 times (the fifth attempt is the latest chance you have to login). On the sixth attempt even if you enter the correct password it will not work and you'll get the locked out error message. If the fifth attempt is the latest chance you have to login then after failing on the fifth attempt the system should display the locked out error message and not wait until the sixth attempt to show that because the sixth attempt will be useless anyway.

By the way now that you're going to modify the code for this could you include a message on the let's say third failed attempt telling the user that he has 2 more tries before his account gets locked out?
 

Mike

XenForo developer
Staff member
#2
Fixed the code to be >=4 logged entries rather than >4 to be consistent with the text. The text seems pretty clear to me -- it requires 4 or more failed attempts. Which would mean the 5 attempt would be blocked.
 

Martok

Well-known member
#3
Fixed the code to be >=4 logged entries rather than >4 to be consistent with the text. The text seems pretty clear to me -- it requires 4 or more failed attempts. Which would mean the 5 attempt would be blocked.
Shouldn't it just be, "If a user fails to log in 4 times in a 15 minute period..."? They can't have more than 4 failed attempts as the fifth attempt will be blocked.
 

Mike

XenForo developer
Staff member
#5
Shouldn't it just be, "If a user fails to log in 4 times in a 15 minute period..."? They can't have more than 4 failed attempts as the fifth attempt will be blocked.
The (previous) default method allows them to continue by completing a CAPTCHA.