Security Lock: User must contact Admin

[Kirby]

The recent wave of compromised accounts that are suspected to originate from compromised email accounts has brought up the question how to deal with them without potentially upsetting users that might return.

Right now there seem to be several options to handle compromised accounts:

1. Ban the account
   Does stop spam activity, but might upset some human users
2. Set security lock to "User must change password"
   Might work a bit, but as bots know the password they can easily change it
3. Set security lock to "User must reset password"
   Pretty much the same as before, but requires a bit more processing for bots
4. Set account state to "Awaiting email confirmation"
   Might also work to some extend but still leaves a breached password in place
5. Set account state to "Rejected"
   Does stop spam activity but like 1) it might upset human users wo don't understand why the account is "Rejected" as the only message they get is "Your account was rejected"
6. Set account state to "Disabled"
   Does stop spam activity but like 1) it might upset human users wo don't understand why the account is "Disabled" as the only message they get is "Your account has been disabled. If you would like to re-activate your account, please Contact us"
7. Add the account to a usergroup that withdraws all permissions and display a notice (using notice criteria targeted for this usergoup) to show them a message that the account has been compromised and that they should contact the admin

Option 7) seems pretty appealing to me - but does require quite some setup.

So what I would like to suggest instead is to have a third security lock option: User must contact Admin.

If this option is selected, the user should be presented with a (per-user overridable) message telling them that the account has been administratively locked for security reasons and that the user should contact the admin.

 

[woody]

How is it possible that if someone has the Security Lock: Password reset the forum software does not send them a notification or ask them to reset the password when they log in? Or am I incorrect in understanding how the feature works?

Security Lock: User Must Reset Password automatically sends an email to their registered email....unless their email is wrong... Then they are stuck, and the software offers no means to "target" those specific users with the Notices system. In my case, I've had over 1000 registered users who needed their email updated....sucks to not have a built-in means to target them. I did a sitewide forced password reset in Aug 2021 and STILL get 4-5 emails a week for users who have outdated email addys. (my site has 160k+ registered usernames)

 

[Mike Fara]

I see. Yeah this could be a huge problem. I had a rogue person from a Moldova IP spamming. It looks like they compromised a bunch of old accounts. Thought about possibly locking out inactive accounts as a solution as well, but worried about the possible fallout from doing this as well. Instead only targeted the accounts logged in from the IP in this instance, but yeah, if their e-mail is old or wrong then they are going to be stuck as you have pointed out. I found your posts about this from investigating the possibility of using this feature, and now I'm seeing your point regarding this.

 

[Mr Lucky]

How is it possible that if someone has the Security Lock: Password reset the forum software does not send them a notification or ask them to reset the password when they log in? Or am I incorrect in understanding how the feature works?

I don't think it sends an email, but you can choose to do that via the mass email users function.

Also if they try to log in they will get this:



Additionally I show them a notice using criteria for the usergroup I put them in.

and the software offers no means to "target" those specific users with the Notices system.

See above, I do it via usergroup.

 

[Mr Lucky]

.they can't even use the "contact us" form....

But if they do, they then get yet another notification that they received a password reset email.

Alternatively if they log out they can use the contact form as normal.