Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,048
    Thanks
    25
    Thanked 0 Times in 0 Posts

    Lock out User, and then what?!

    Just finished adding code to my "log-in.php" script which locks out a person after 3 consecutive failed log-in attempts.

    Was feeling pretty proud of myself, when the following things occurred to me...

    1.) Should I get rid of the "Forgot Password" link underneath the Log In Form, which basically re-sets the User's password if they forget it?

    2.) If I lock someone out, then what is supposed to come next??


    Personally, I added this security feature not to just prevent against Brute Force attacks, but also to prevent against someone continually trying to guess other people's passwords!!

    Sincerely,


    Debbie

  • #2
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,589
    Thanks
    0
    Thanked 644 Times in 634 Posts
    Quote Originally Posted by doubledee View Post
    2.) If I lock someone out, then what is supposed to come next??e
    If someone locks themselves out then they need to reset their password in order to remove the lockout and be able to log back in. You are not trying to lock people out of their own account - the lockout is there to try to prevent brute force attacks by others.

    If someone is trying to break in then they will not receive the reset email and so resetting the password wouldn't help them to break in as all it would mean is that they no longer know if any of their prior attempts would now match the new password.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #3
    Senior Coder
    Join Date
    Sep 2010
    Posts
    1,902
    Thanks
    15
    Thanked 226 Times in 226 Posts
    If you locked someone out you might consider directing them to a page which tells them what happened and that they can't log in till a certain time has expired. Hopefully this wont cause too much inconvenience for legitimate users.
    Welcome to http://www.myphotowizard.net

    where you can edit images, make a photo calendar, add text to images, and do much more.


    When you know what you're doing it's called Engineering, when you don't know, it's called Research and Development. And you can always charge more for Research and Development.

  • #4
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,048
    Thanks
    25
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by DrDOS View Post
    If you locked someone out you might consider directing them to a page which tells them what happened and that they can't log in till a certain time has expired. Hopefully this wont cause too much inconvenience for legitimate users.
    What about Felgall's suggestion that I just direct them to my "Reset Password" link?


    Debbie

  • #5
    Senior Coder
    Join Date
    Sep 2010
    Posts
    1,902
    Thanks
    15
    Thanked 226 Times in 226 Posts
    Quote Originally Posted by doubledee View Post
    What about Felgall's suggestion that I just direct them to my "Reset Password" link?


    Debbie
    I'm just guessing that 90% of the time, if they are legitimate users they don't really want to reset their password, they will only want to do that if they have to or think that the password is breached. And 'bots, human or machine, will be directed away from the login page.
    Welcome to http://www.myphotowizard.net

    where you can edit images, make a photo calendar, add text to images, and do much more.


    When you know what you're doing it's called Engineering, when you don't know, it's called Research and Development. And you can always charge more for Research and Development.

  • #6
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,048
    Thanks
    25
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by DrDOS View Post
    I'm just guessing that 90% of the time, if they are legitimate users they don't really want to reset their password, they will only want to do that if they have to or think that the password is breached. And 'bots, human or machine, will be directed away from the login page.
    Sorry, but I have no clue what you are trying to say...

    (Maybe re-read the conversation?)

    Thanks,


    Debbie

  • #7
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,589
    Thanks
    0
    Thanked 644 Times in 634 Posts
    There are basically two situations where the account will be locked.

    1. You have forgotten your password and try your best three guesses as to what it might be. If you haven't remembered it by then you will probably want to reset it.

    2. Someone else has tried to break into your account and got the account locked after their third attempt. At this point it is going to be safer for you if you change your password - that way they will no longer have three wrong guesses that they can eliminate before trying to break in again after you get the account unlocked.

    The only time you'd get locked out where you know the password and someone else isn't trying to break in would be if you made typos in what you entered on three consecutive attempts. After the first attempt fails due to a typo you'd be really careful typing the password the second time and so managing to mistype it three times running would be extremely unlikely.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #8
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,048
    Thanks
    25
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by felgall View Post
    There are basically two situations where the account will be locked.

    1. You have forgotten your password and try your best three guesses as to what it might be. If you haven't remembered it by then you will probably want to reset it.

    2. Someone else has tried to break into your account and got the account locked after their third attempt. At this point it is going to be safer for you if you change your password - that way they will no longer have three wrong guesses that they can eliminate before trying to break in again after you get the account unlocked.

    The only time you'd get locked out where you know the password and someone else isn't trying to break in would be if you made typos in what you entered on three consecutive attempts. After the first attempt fails due to a typo you'd be really careful typing the password the second time and so managing to mistype it three times running would be extremely unlikely.
    So as part of my "You've been locked out..." message, do I get rid of the second line, "Please contact the Sys Admin" and instead have a Button/Link to "Reset Password" instead?

    That seems to be where you're pointing me...


    Debbie

  • #9
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    Quote Originally Posted by doubledee View Post
    ... "Please contact the Sys Admin" and instead have a Button/Link to "Reset Password" instead?
    ...
    why not both... ?
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #10
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,048
    Thanks
    25
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by firepages View Post
    why not both... ?
    Sure, I could do that too.


    Debbie

  • #11
    New Coder
    Join Date
    Nov 2011
    Location
    Ratio, Logic
    Posts
    59
    Thanks
    3
    Thanked 6 Times in 6 Posts
    My best guessing would be:

    1. Matching IP where account is locked from.
    2. Sending e-mail about that to admin (if there is no log file) and account holder.
    3. Mail sent to account holder should have hashed link for unlocking (works if still valid IP).

    Point 3 is good to be set with rewrite rule in htaccess to avoid page guessing where logic is:
    http://example.com/356a192b7913b04c5...8d46e6395428ab

    My 2 cents.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •