SitePoint Sponsor

User Tag List

Results 1 to 12 of 12

Hybrid View

  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,760
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Locking Out Account and Password Reset??

    I just spent a whole bunch of time adding code - LOTS of code - to my Log-In script, so that a User gets "locked out" of their account if they have more than 3 failed log-in attempts.

    After all of that work, it just dawned on me that the "Reset Password" link which I have on my Log-In Page probably completely undoes any value of this new "lock out" functionality that I just wrote, right??

    Should I get rid of this reset link, and its related functionality?

    Sincerely,


    Debbie

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,788
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    In what way does the reset link undo the lockout? There shouldn't be any connection between the two.

    The logic for locking out after three wrong passwords is extremely simple. You have an extra field in your user table that counts the invalid attempts. That starts as zero for everyone. The password validation checks first if the invalid count is 3 and if so it rejects the attempt else if the password is wrong add 1 to the count and reject the login. Then you'd just have an unlock option in your back end that resets the count to zero when you want to unlock the account. None of this processing would be affected by changing the password.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,760
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    In what way does the reset link undo the lockout? There shouldn't be any connection between the two.

    The logic for locking out after three wrong passwords is extremely simple. You have an extra field in your user table that counts the invalid attempts. That starts as zero for everyone. The password validation checks first if the invalid count is 3 and if so it rejects the attempt else if the password is wrong add 1 to the count and reject the login. Then you'd just have an unlock option in your back end that resets the count to zero when you want to unlock the account. None of this processing would be affected by changing the password.
    Not CHANGE your Password... RESET your Password.

    I just finished my "3 Strikes And You're Out!" addition to "log-in.php".

    The conflict I see is this...

    Debbie forgets her password, and fails to log in 3 consecutive times.

    The System locks her out.

    So Debbie just clicks "Reset Password", and the System sends her a TEMP password (i.e. "Resetting" her Password).

    The System requires her to then CHANGE the Temp Password for a NEW PASSWORD.

    Debbie gets 3 more strikes now, and is no longer locked out!!!

    See the problem now??

    (You would expect being "locked out" to be permanent until the Admin intervenes...)


    *********
    You could use the argument that when an Account is "locked out", that is just too bad for the User, and they'll have to be patient until the Admin resets things...


    *********
    There is also the issue...

    What should happen when an Admin removes the block??

    Should the Admin RESET the Password for the User?


    Those are my questions and concerns...

    Sincerely,


    Debbie

  4. #4
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,196
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    (You would expect being "locked out" to be permanent until the Admin intervenes...)
    As a customer/user, that is not the behavior I would expect.

    It is a honest thing to forget your password for a specific website today, you easily have hundred or more accounts, and unless you use the same password every place this gets messy (and no, if anyone get that idea, please do not use the same password in all places). In addition what would you do if I failed entering the correct password twice, and then requested a password reset? Would you keep the two failed, allowing me just to fail once more or?

    The normal way this problem is handled, is that the "lock out" is for a limited amount of time. If this is a normal member area, all you want to prevent is brute force attempts, so then having a 15min timeout is a good choice. But you can also have longer if you so chose, they key is that you let the customer know how long they are locked out. In addition, the locked out time is reset every time another login attempt is done during the initial period. So if I try to login again after 10min, you dont even validate the login information but just extend the locked out period with another 15min.

    In addition, keep in mind that you want to keep any actions you need to take as an administrator at a minimum, as each time you need to review a case like this and take an action, it cost you time and by that money.

  5. #5
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,760
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    TheRedDevil,

    Sorry, looks like we disagree on this...

    If I get locked out of my computer at work, the only way to get back in is to call the Help Desk. (There is no, "Get locked out after 3 failed attempts, BUT just click on 'Reset Password' link and you can get back in!!")

    Yes, a LAN Account and a Web Account as slightly different, but then again, are they?!

    If you come to *my* website, I expect you to take my site and *your* account seriously. And if you can't do that, then there are consequences (e.g. having to wait to get back in).

    I'm not trying to be a jerk to my Users, however, my website's security comes before user convenience!!

    And it just seems like locking Users out, and then letting them reset their passwords sorta undoes the "lock out" feature.

    Also, if having to "unlock accounts" becomes a major issue, then I think that says a lot about my customer-base, and means I need to re-think who comes to, and gets to stay on my website...

    Maybe some other people can help me get my hands around this topic better...

    Sincerely,


    Debbie

  6. #6
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,196
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    The security aspect of a companies internal network account and the security aspect of a normal website member back office account is as far apart as day and night.

    The amount of damage someone can do if they get access to a companies internal network account can be significant depending on where you work and who's account you get access to. Potentially if you get access to the right account, you can do enough damage to seriously put a company back.

    While on a member back office, the damage done will only apply to the account, and not the entire website.

    This is why the security restrictions are much higher on a internal network account, compare to a website account.

    With a website the main reason of the X strikes lockout is to prevent automatic brute forcing of an account, not to block the member from being able to login later. With that said, if this was the login to the admin control panel, then locking down the account is a good thing, but not for a normal member back office.

    I am not sure how locking down the account until you unlock it from the member area improve your websites security compare to a timed locked down. The only thing you do is give the user additional frustration and give yourself additional management work.

    If you really want to have the feature work like this, then I have no idea why you are even dragging the "reset password" function into it? All you need to do is have the reset password function only work if the account is not locked down, and in addition that it does not reset any failed attempt there is on an account if the password is reset before three login attempts has been made. I.e. when an account is locked down, the reset password function should not work for that specific account. I would also recommend you let your users know how they can unblock the account if they try to reset the password while it is blocked, i.e. how they can reach you.

    While it might not seem like a lot of management work right now, when your active user base is several hundred thousand members visiting the site per day, that will change. There will always be a set percentage of the members per day who cannot remember their password, and who would trigger the lockdown.

  7. #7
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,788
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    Not CHANGE your Password... RESET your Password.

    I just finished my "3 Strikes And You're Out!" addition to "log-in.php".

    The conflict I see is this...

    Debbie forgets her password, and fails to log in 3 consecutive times.

    The System locks her out.

    So Debbie just clicks "Reset Password", and the System sends her a TEMP password (i.e. "Resetting" her Password).

    The System requires her to then CHANGE the Temp Password for a NEW PASSWORD.
    At this point Debbie now has a new password and shouldn't be locked out.

    If it were someone other than Debbie who caused the lock then their attempt to do the reset would send Debbie a new temp password. While this may release the lock on the original password the password has now changed and so anyone other than Debbie trying to break in does not know if any of the prior login attempts would now work. So the system is still effectively preventing a brute force attack even though the lock can be easily released since releasing the lock also changes the password so that the attack has to start over.

    There is no problem with the reset releasing the lock provided that it also changes the password.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  8. #8
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,760
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    At this point Debbie now has a new password and shouldn't be locked out.

    If it were someone other than Debbie who caused the lock then their attempt to do the reset would send Debbie a new temp password. While this may release the lock on the original password the password has now changed and so anyone other than Debbie trying to break in does not know if any of the prior login attempts would now work. So the system is still effectively preventing a brute force attack even though the lock can be easily released since releasing the lock also changes the password so that the attack has to start over.

    There is no problem with the reset releasing the lock provided that it also changes the password.
    Okay, that is a good explanation.

    I guess as long as a hacker does NOT have access to the target's e-mail account, the best they could do would be to take 3 wild guesses, get locked out, and then have to wait until the Member changed his/her password, and try again.

    Although, as I currently have things set up, a Member can ignore the "Reset Email" and leave things as-is.

    Maybe I should tweak that, and assume the worst, and force a person to change their password when a lock-out happens?

    Of course, that is even more coding...

    Sincerely,


    Debbie


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •