Invalid sign-in attempts
One of the most common threats to website security is stealing user accounts. To compromise an account, attackers use methods which try to guess the password for that account, either by combining different characters or by selecting passwords from a dictionary.
This threat can be eliminated for the Xperience administration interface by limiting the number of invalid sign-in attempts, which means that users will have their account locked after entering an incorrect password for the specified number of times.
Administration only
The invalid sign-in limits described on this page are only supported for the Xperience administration application. They do NOT apply to users who sign in on the live site (via the MVC application).
Limiting the number of invalid sign-in attempts
To configure the limit:
- Open the Settings application.
- Select the Security & Membership -> Protection setting tree item.
- Configure settings in the Invalid sign-in attempts category:
Maximum invalid sign-in attempts – specified the number of possible sign-in attempts before the system locks the account and denies access. Type 0 to disable the account locking.
Send unlock account email – indicates whether an email notification should be sent to the user if their account is locked. Select the check box to send the notification.
Unlock user account path – specifies a path to a page where the user can unlock the account. If not specified, the system uses the default path: ~/CMSModules/Membership/CMSPages/UnlockUserAccount.aspx
For all protection settings, see Settings - Protection.
- Click Save.
The system now locks user accounts according to your settings.
To display a friendly message to the users (as you can see on the picture above):
- Open the Settings application.
- Select the Security & Membership -> Protection setting tree item.
- Enable the Display account lock information message setting.
- Click Save.
If you do not enable the setting, users see only a general message that their sign-in attempt was unsuccessful without knowing that their account has been locked.
Users cannot sign in to a locked account. The global or site administrator has to unlock the account for them.
Using this protection may also lead to another security risk. If the users have easy-to-guess user names, then an attacker can block their accounts anytime by submitting wrong passwords with their user names on purpose.
Resetting the number of invalid sign-in attempts
When a user successfully signs in, the system automatically resets the number of invalid sign-in attempts to zero.
Administrators can also reset the invalid sign-in attempt counter manually:
- Open the Users application.
- Edit () the given user.
- Click Reset at the Invalid sign-in attempts field.
The system sets the number back to zero and unlocks the user’s account (if the user has reached the limit).